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Abstract 

We develop an incremental tableau-based decision procedures for the Alternating- 
s« ) \ time temporal logic ATL and some of its variants. While running within the theoretically 

t— ] • established complexity upper bound, we claim that our tableau is practically more efficient 

' in the average case than other decision procedures for ATL known so far. Besides, the 

ease of its adaptation to variants of ATL demonstrates the flexibility of the proposed 
procedure. 

Keywords: logics for multiagent systems, alternating-time temporal logic, decision proce- 
^ ■ dure, tableaux. 

m 

1 Introduction 

m 

OO ' Multiagent systems (|10j. |31j . [33], [26]) are an increasingly important and active area of 

interdisciplinary research on the border of computer science, artificial intelligence, and game 
theory, as they model a wide variety of phenomena in these fields, including open and in- 
teractive systems, distributed computations, security protocols, knowledge and information 
exchange, coalitional abilities in games, etc. Not surprisingly, a number of logical formalisms 



have been proposed for specification, verification, and reasoning about multiagent systems. 
These formalisms, broadly speaking, fall into two categories: those for reasoning about knowl- 
edge of agents and those for reasoning about abilities of agents. In the present paper, we 
deal with the latter variety of logics, the most influential among them being the so-called 
Alternating-time temporal logic (ATL), introduced in [3] and further developed in [3] and 

ATL and its modifications can be applied to multiagent systems in a similar way as 
temporal logics, such as LTL and CTL, are applied to reactive systems. First, since ATL- 
models can be viewed as abstractions of multiagent systems, ATL can be used to verify 
and specify properties of such systems. Given a model M and an ATL-formula (p, the task 
of verifying Ai with respect to the property expressed by ip is, in logical terms, the model 
checking problem for ATL, extensively discussed in [5]; a model-checker for ATL has also 
been developed, see [6]. Second, ATL can be used to design multiagent systems conforming 
to a given specification; then, ATL-formulae are viewed as specifications to be realized rather 
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than verified. In logical terms, this is the constructive satisfiability problem for ATL: given a 
formula (p, check if it is satisfiable and, if so, construct a model of (p. 

In the temporal logic tradition, in which ATL is rooted, two approaches to constructive 
satisfiability are predominant: tableau-based and automata-based. The relationship between 
the two is not, in our view, sufficiently well understood despite being widely acknowledged. 
The automata-based approach to ATL-satisfiability was developed in [29] and |17] . 

The aim of the present paper is to develop practically useful "incremental" (also called 
"goal-driven") tableau-based decision procedures (in the style of |32j) for the constructive 
satisfiability problem for the "standard" ATL and some of its modifications. Incremental 
tableaux form one of the two most popular types of tableau-based decision procedures for 
modal and temporal logics with fixpoint-defined operators (the most widely known examples 
being LTL and CTL). It should be noted that, while tableaux for logics with such operators 
employ all common features of the "traditional" tableaux for modal logics, comprehensively 
covered in [TT], [18], and [T2], they differ substantially from the latter, because they involve a 
loop-detecting (or equivalent) procedure that checks for the satisfaction of formulas containing 
fixpoint operators. 

As already mentioned, the alternative to the incremental tableaux for logics with fixpoint- 
definable operators are the "top-down" tableaux, developed, for the case of CTL and some 
closely related logics, in [9] (see also |S]) and essentially applied to ATL in [30J. A major 
practical drawback of the top-down tableaux is that, while they run within the same worst- 
case complexity bound as the corresponding incremental tableaux, their performance matches 
the worst-case upper bound for every formula to be tested for satisfiability. The reason 
for this "practical inefficiency" of the top-down tableaux is that they invariably involve the 
construction of all maximally consistent subsets of the so-called "extended closure" of the 
formula to be tested, which in itself requires the number of steps of the order of the theoretical 
upper bouncQ. Some authors consider it to be so great a disadvantage of the top-down 
tableaux that they propose non-optimal complexity tableaux for such logics, which they claim 
to perform better in practice (see [1]). 

We believe that the incremental tableaux developed in the present paper are intuitively 
more appealing, practically more efficient, and therefore more suitable both for manual and for 
computerized execution than the top-down tableaux, not least because checking satisfiability 
of a formula using incremental tableaux takes, on average, much less time than predicted 
by the worst-case complexity upper-bound. Furthermore, incremental tableaux are quite 
flexible and amenable to modifications and extensions covering not only variants of ATL 
considered in this paper, but also a number of other logics for multiagent systems, such as 
multiagent epistemic logics (see pH]), for which analogous tableau-based decision procedures 
have recently been developed in [16] and [15j . Lastly, it should be noted, that our tableau 
method naturally reduces (in the one-agent case) to incremental tableaux for CTL, which is 
practically more efficient (again, on average) than Emerson and Halpern's top-down tableaux 
from [9]. 

We should also mention that yet another type of tableau-based decision procedure for 
ATL, the so-called "tableau games", has been considered in [19j . Even though neither sound- 
ness nor completeness of the tableau games for the full ATL has been established in [19J, 

1 lt should be stressed that the top-down tableaux for ATL presented in [30] were not meant to serve as 
a practically efficient method of checking ATL-satisfiability, but rather were used as a tool for establishing 
the ExpTime upper bound for ATL, in particular, for the case when the number of agents is not fixed, as 
assumed in [29] and |17| . but taken as a parameter. 
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sound and complete tableau games for the "Next-time fragment of ATL" , namely, the Coali- 
tion Logic CL, introduced in [22] (see also [23] and [21] )> have been presented in [19]. 

The structure of the present paper is as follows: after introducing the syntactic and se- 
mantic basics of ATL in section [21 we introduce, in section [3j concurrent game Hintikka 
structures and show that they provide semantics for ATL that is, satisfiability-wise, equiv- 
alent to the one based on concurrent game models described in section [2j In section [H we 
develop the tableau procedure for ATL and analyze its complexity, while in section [5] we 
prove its soundness and completeness using concurrent game Hintikka structures introduced 
in section [31 In section El we briefly discuss adaptations of our tableau method for some 
modifications of ATL. 

2 Preliminaries: the multiagent logic ATL 

ATL was introduced in [3], and further developed in [4] and [5], as a logical formalism 
to reason about open systems (|20j), but it naturally applies to the more general case of 
multiagent systems. Technically, ATL is an extension of the multiagent coalition logics CL 
and ECL studied in [22], [23], and [21] (for a comparison of the logics, see [13] and [H]). 

2.1 ATL syntax 

ATL is a multimodal logic with CTL-style modalities indexed by subsets, commonly called 
coalitions, of the finite, non-empty set of (names of) agents, or players, that can be referred 
to in the language. Thus, formulae of ATL are defined with respect to a finite, non-empty 
set £ of agents, usually denoted by the natural numbers 1 through |S| (the cardinality of £), 
and a finite or countably infinite set AP of atomic propositions. 

Definition 2.1 ATL- formulae are defined by the following grammar: 

<p:=p\^<p\(<Pi^ | {A} 0<p | {A))n<p | ({A}(p! Uip 2 , 

where p ranges over AP and A ranges over P(S), the power-set of S. 

Notice that we allow (countably) infinitely many propositional parameters, but in line 
with traditional presentations of ATL (see, for example, [5]), only finitely many names of 
agents. We will show, however, after introducing ATL-semantics, that this latter restriction 
is not essential (see Remark 12. 161 below) and thus does not result in a loss of generality. 

The other boolean connectives and the propositional constant T ( "truth" ) can be defined 
in the usual way. Also, ((^4))0</? can be defined as (lAJ)TUip. As will become intuitively clear 
from the semantics of ATL, ((A))Oy> and ([A])Oip are not interdefinabldE 

The expression ((A)), where A C S, is a coalition quantifier (also referred to as "path 
quantifier" in the literature), while O ("next"), □ ("always"), and U ("until") are temporal 
operators. Like in CTL, where every temporal operator has to be preceded by a path quan- 
tifier, in ATL every temporal operator has to be preceded by a coalition quantifier. Thus, 
modal operators of ATL are pairs made up of a coalition quantifier and a temporal operator. 

2 A formal proof of this claim would require a suitable semantic argument, e.g., one involving bisimulations 
between models for ATL. As such an argument would take up quite a lot of space and is not immediately 
relevant to the contents of the present paper, we do not pursue it in this paper. 
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We adopt the usual convention that unary connectives have a stronger binding power 
than binary ones; when this convention helps disambiguate a formula, we usually omit the 
parentheses associated with binary connectives. 

Formulae of the form ((AJ)ipU^j and -i((A))n^> are called eventualities, for the reason ex- 
plained later on. 

2.2 ATL semantics 

While the syntax of ATL remained unchanged from [3] to [5], the semantics, originally 
based on "alternating transition systems" , was revised in [5] , where the notion of "concurrent 
game structures" was introduced. The latter are essentially equivalent to "multi-player game 
models" (|22j, [21]) and are more general than, yet yielding the same set of validities as, 
alternating transition systems — see [T3].|14|. 

In the present paper, we use the term "concurrent game models" to refer to the "concur- 
rent game structures" from [5] and, in keeping with the long-established tradition in modal 
logic, the term "concurrent game frames" to refer to the structures resulting from those by 
abstracting away from the meaning of atomic propositions. 

2.2.1 Concurrent game frames 

Concurrent game frames are to ATL what Kripke frames are to standard modal logics. 

Definition 2.2 A concurrent game frame (for short, CGF) is a tuple $ = (E, S, d, 6), where 

• S is a finite, non-empty set of agents, referred to by the numbers 1 through |S|; subsets 
of E are called coalitions; 

• S ^ is a set of states; 

• d is a function assigning to every agent a E E and every state s £ S a natural number 
d a (s) > 1 of moves, or actions, available to agent a at state s; these moves are identified 
with the numbers through d a (s) — 1. For every state s € S, a move vector is a k-tuple 
(o\, . . . , o\), where k = |E|, such that < a a < d a (s) for every 1 < a < k (thus, a a 
denotes an arbitrary action of agent a G T,). Given a state s € S, we denote by D a (s) 
the set {0, . . . ,d a (s) — 1} of all moves available to agent a at s, and by D(s) the set 
riaes D a (s) of all move vectors at s; with a we denote an arbitrary member of D(s). 

• 5 is a transition function assigning to every s £ S and a£ D(s) a state 5(s,cr) € S that 
results from s if every agent a € E plays move u a . 

All definitions in the remainder of this section refer to an arbitrarily fixed CGF. 

Definition 2.3 For two states s,s' € S, we say that s' is a successor of s (or, for brevity, 
an s-successor) if s' = 5(s,a) for some a€ D(s). 

Definition 2.4 A run in $ is an infinite sequence X = so, s\, . . . of elements of S such that, 
for all i > 0, the state Sj+i is a successor of the state Sj. Elements of the domain of X are 
called positions. For a run X and positions i,j > 0, we use X[i] and X[j,i] to denote the ith 
state of X and the finite segment 8j,Sj+i . . . ,Si of X, respectively. A run with A[0] = s is 
referred to as an s-run. 
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Given a tuple r, we interchangeably use r n and r(n) to refer to the nth element of r. We 
use the symbol (j as a placeholder for an arbitrarily fixed move of a given agent. 

Definition 2.5 Let s E S and let A C £ 6e a coalition of agents, where |E| = fc. ^4n A-move 
ox at state s is a k-tuple &a such that ox (a) € D a (s) for every a £ A and px(a') = jj /or every 
a' $l A. We denote by Da(s) the set of all A-moves at state s. 

Alternatively, yl-moves at s can be defined as equivalence classes on the set of all move 
vectors at s, where each equivalence class is determined by the choices of moves of agents in 
A. 

Definition 2.6 We say that a move vector a extends an A-move ox and write ox C a, or 
0"E o~a, if o(a) = ox (a) for every a £ A. 

Given a coalition A C £, an A-move ox G Da(s), and a (S \ j4)-move 0£\x £ Dz\a(s), we 
denote by ox U Oz\a the unique o"€ D(s) such that both ox Q o-and o^VX E c- 

Definition 2.7 Let ox € Da(s). The outcome o/ox at s, denoted by out(s,o~A), is the set of 
all states s' for which there exists a move vector o"€ D(s) such that oa E o~ and 5(s, a) = s' . 

Concurrent game frames are meant to model coalitions of agents behaving strategically in 
pursuit of their goals. Given a coalition A, a strategy for A is, intuitively, a rule determining 
at a given state what j4-move the agents in A should play. Given a state as a component of 
a run, the strategy for agents in A at that state may depend on some part of the history of 
the rur|l, the length of this "remembered" history being a parameter formally represented by 
an ordinal 7 < u. Intuitively, players using a 7-recall strategy can "remember" any number 
n < 7 of the previous consecutive states of the run. If 7 is a natural number, then 7 can 
be thought of as a number of the consecutive states, including the current state, on which 
an agent is basing its decision of what move to play. If, however, j = u, then an agent can 
remember any number of the previous consecutive states of the run. 

Given a natural number n, by S n we denote the set of sequences of elements of S of length 
n; the length of a sequence k is denoted by \n\ and the last element of k by l{n). 

Definition 2.8 Let A C £ be a coalition and 7 an ordinal such that 1 < 7 < u. A 7-recall 
strategy for A (or, a 7-recall ^.-strategy ,) is a mapping F\[y] '■ U i<n<i+7'S' n 1— > \J{Da(s) | 
s € S } such that ix[7](«0 e Da{1{k)) for every k € \J \< n< \ + ~ 1 S n . 

Remark 2.9 Given that 1 + u> = u, the condition of Definition \2.£\ for the case of uj -recall 
strategies can be rephrased in a simpler form as follows: Fa[uj] : |J \< n <u)S n 1— > \J{Da(s) | 
s € 5} such that Fa[lu](k) G Da(1(k)) for every k G (J i< n<UJ S n . 

Definition 2.10 Let FX[j] be a j-recall A-strategy. If ^ = uj, then Fa[j] is referred to as 
a perfect-recall ^4-strategy; otherwise, FXil] is referred to as a bounded-recall A-strategy. 
Furthermore, ifj = l, then FXij] is referred to as a positional A-strategy. 

3 In general, we might consider the case when an agent can remember any part of the history of the run; it 
suffices, however, for our purposes in this paper to consider only those parts that are made up of consecutive 
states of a run. 
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Thus, agents using a perfect-recall strategy have potentially unlimited memory; those 
using positional strategies have none (7 = 1 means that an agent bases its decisions on one 
state only, i.e., the current one); in between, agents using n-recall strategies, for 1 < n < lo, 
can base their decisions on the n — 1 previous consecutive states of the run as well as the 
current state. We usually write F A instead of F\[l] when 7 is understood from the context. 

Remark 2.11 Even though the concept of n-recall strategies, for 1 < n < uj is of some 
interest in itself, in the present paper it is introduced for purely technical reasons, to be used 
in the proof of the satisfiability-wise equivalence (see Theorem \ 3.9\ below) of the semantics 
of ATL based on concurrent game models and the one based on concurrent game Hintikka 
structures as well as in the completeness proof for our tableau procedure. 

We note, however, that a more realistic notion of finite-memory strategy is the one allow- 
ing a strategy to be computed by a finite automaton reading a sequence of states in the history 
of a run and producing a move to be played, as proposed in [28]. 

Definition 2.12 Let F\[y] be an A-strategy. The outcome of ^[7] at state s, denoted by 
out(s, FX[y]), is the set of all s-runs X such that 

(7) A[t + 1] G out(X[i],F A [-/](X[j,i})) holds for all i > 0, 
where j = max(i — 7 + 1,0). 

Note that for positional strategies condition (7) reduces to 

(P) X[i + 1] G out(X[i},F A (X[i])), for all i > 0, 

whereas for perfect-recall strategies it reduces to 

(PR) X[i + 1] G out(X\i],F A (X[0, »])), for all i > 0. 

2.2.2 Truth of ATL-formulae 

We are now ready to define the truth of ATL-formulae in terms of concurrent game models 
and perfect-recall strategies. 

Definition 2.13 A concurrent game model (for short, CGM) is a tuple A4 = ($,AP,L), 
where 

• 5 is a concurrent game frame; 

• AP is a set of atomic propositions; 

• L is a labeling function L : S — > V(AP). Intuitively, the set L(s) contains the atomic 
propositions that are true at state s. 

Definition 2.14 Let Ai = (E,S,d,5,AP,L) be a concurrent game model. The satisfaction 
relation lh is inductively defined for all s G S and all ATL-formulae as follows: 

• M, s lh p iff p G L(s), for all p G AP; 

• M, s lh -■(/? iff M, sF (p; 
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• Ai, s lh <p — > ip iff Ai, s lh <p implies Ai, s lh 

• ,A4,s lh ((A)) 0(p iff there exists an A-move o~a G -Da(s) such that Ai,s' lh ip for all 
s' 6 out(s, oa); 

• .M, s lh ((A))D</? i/f i/iere exists a perfect-recall A-strategy FX such that Ai, \[i] lh ip holds 
for all A G out(s,F\) and all positions i > 0; 

• A4,s lh ((A^ipUip iff there exists a perfect-recall A-strategy F\ such that, for all A G 
out(s,F\), there exists a position i>0 with Ai,X[i] lh ifj and Ai,X[j] lh <p holds for all 
positions < j < i. 

Definition 2.15 Let 9 be an ATL-formula and V be a set of ATL-formulae. 

• 9 is true at a state s of a CGM Ai if Ai, s lh 9; T is true at s, denoted Ai, s lh T, if 
Ai, s lh ip holds for every ip £ T; 

• 9 is satisfiable in a CGM Ai if Ai, s lh 9 holds for some s G Ai; T is satisfiable in Ai 
if Ai, s lh T holds for some s G Ai; 

• 9 is true in a CGM s lh ZioWs /or every s G A4. 

As the clauses for the modal operators ((A)) □ and ((A)) U in Definition 12.141 involve strate- 
gies, these will henceforth be referred to as strategic operators. 

Remark 2.16 As in the present paper we are only concerned with satisfiability of single 
formulae (or, equivalently, finite sets of formulae), and a formula can only contain finitely 
many atomic propositions, the size of AP is of no real significance for our purposes here. The 
issue of the cardinality of the set of agents X is more involved, however, as infinite coalitions 
can be named within a single formula, which would imply certain technical complications. 
Nevertheless, when interested in satisfiability of single formulae, the finiteness of £ does 
not result in a loss of generality. Indeed, as every formula ip mentions only finitely many 
coalitions, we can definite an equivalence relation of finite index on the set of agents that is 
naturally induced by ip; to wit, two agents are considered "equivalent" if they always occur 
(or not) together in all the coalitions mentioned in ip (i.e. a bifa^Aiffb^A holds 
for every coalition A mentioned in ip). Then, ip can be rewritten into a formula ip' in which 
equivalence classes with respect to = v are treated as single agents. It is not hard to show that 
ip' is satisfiable iff ip is, and thus the satisfiability of the latter can be reduced to the satisfiablity 
of the former. 

2.3 Fixpoint characterization of strategic operators 

In the tableau procedure described later on in the paper and in the proofs of a number of 
results concerning ATL, we will make use of the fact that the strategic operators ((A)) □ and 
((A)) U can be given neat fixpoint characterizations, as shown in |17j . In this respect, ATL 
turns out to be not much different from LTL and CTL, whose "long-term" modalities are 
well-known to have similar fixpoint characterizations. 

The following definitions introduce set theoretic operators corresponding to the semantics 
of the respective coalitional modalities in a sense made precise in Theorem 12.191 
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Definition 2.17 Let (E,S,d,5) be a CGF and let X C S. Then, [((A)) O] is an operator 
V(S) i— > 'P(S) defined by the following condition: s G [{(A)) 0](X) iff there exists oa £ Da(s) 
such that out(s,aA) C X. 

Definition 2.18 Le£ (X,£, d, 5) be a CGF and let X,Y C S. Then, we define operators 
[Y n (A}}0] and [Y U ((A)) O] from V{S) to V{S) as expected: 

. [Yn((A))0](X)=Yn[((A))0](X) ; 

. [yu((4))o](i) = rup))o](4 

Given a formula 99 and a model 7W, we denote by the set { s \ A4,s lh </?}; we 

simply write ||</?|| when M is clear from the context. 

Given a monotone operator [ft] : V(S) 1— > V(S), we denote by //X.[0](X) and z^X.[f2](X) 
the least and greatest fixpoints of [fi], respectively. 

Theorem 2.19 (Goranko, van Drimmelen [TT]) Let (E,S,d,5,AP,L) be a CGM. Then, 
for any formulae ip, ip: 

. ||((A))0^|| = [((A))0](|M|) 

. ||«A»n^|| =uX.[\\<p\\ n (A))0](X); 

. \\((A))ipU^\\ =nX.[\M u [||^|| n (A))o]](x). 

Corollary 2.20 The following equivalences hold at every state of every CGM with A C S: 
. ((A))n ( p^ ( pA((A))0((A))n<p; 
. ((A}<pUi/> ~ i> v (ip A ((A)) O ((A})<^^V); 

2.4 Tight, general, and loose ATL-satisfiability 

Unlike the case of standard modal logics, it is natural to think of several apparently different 
notions of ATL-satisfiability The differences lie along two dimensions: the types of strategies 
used in the definition of the satisfaction relation and the relationship between the set of agents 
mentioned in a formula and the set of agents referred to in the language. We consider these 
issues in turn. 

The notion of strategy, as introduced above, is dependent on the amount of memory used 
to prescribe it. At one end of the spectrum are positional (or memoryless) strategies, which 
only take into consideration the current state of, but not any part of the history of, the run; 
and at the other — perfect recall strategies, which take into account the entire history of the 
run. It turns out, however, that these both "extreme" types of strategy — and, hence, all 
those in between — yield equivalent semantics in the case of ATL (they, however, differ in the 
case of the more expressive logic ATL*, considered in [5]). Therefore, the above definition 
of truth of ATL-formulae (Definition I2.14|) could have been couched in terms of positional, 
rather than perfect-recall, strategies without any changes in what formulae are satisfiable at 
which states. This equivalence, first mentioned in [5], can be proved using a model-theoretic 
argument; independently, it follows as a corollary of the soundness and completeness theorems 
for the tableau procedure presented below (see Corollary I5.38p . 
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Now, assuming the type of strategies being fixed, one can consider three different, at least 
on the face of it, notions of satisfiability and validity for ATL, depending on the relationship 
between the set of agents mentioned in a formula and the set of agents referred to in the 
language, as introduced in [30] . 

For every ATL-formula 9, we denote by Tg the set of agents occurring in 9. When 
considering an ATL-formula 9 in isolation, we may assume, without a loss of generality, that 
the names of the agents occurring in 9 are the numbers 1 through \Tg\; hence, the following 
definitions. 

Definition 2.21 An ATL-formula 9 is S-satisfiable, for some T D Tg, if 9 is satisfiable in 
a CGM M = (T,S,d,S,AP,L); 9 is S-valid if 9 is true in every such CGM. 

Definition 2.22 An ATL-formula 9 is tightly satisfiable if 9 is satisfiable in a CGM M. = 
(Tg,S,d,5,AP,L); 9 is tightly valid if 9 is true in every such CGM. 

Clearly, 9 is tightly satisfiable iff it is Eg-satisfiable. 

Definition 2.23 An ATL-formula 9 is generally satisfiable if 9 is satisfiable in a CGM 
M. = (T',S,d,5,AP,L) for some T' with Tg C T' ; 9 is generally valid if 9 is true in every 
such CGM. 

To see that tight satisfiability (validity) is different from general satisfiability (validity), 
consider the formula ->((1)) Op A ~~"((1)) O ->p; it is easy to see that this formula is generally, but 
not tightly satisfiable (accordingly, its negation is tightly, but not generally, valid) . Obviously, 
tight satisfiability implies general satisfiability, and it is not hard to notice that it also implies 
E-satisfiability (in a model where any agent a' £ T \ Tg plays a dummy role by having exactly 
one action available at every state). 

We now show that testing for both S-satisfiability and general satisfiability for 9 can 
be reduced to testing for tight satisfiability and a special case of ^-satisfiability where £ = 
Tg U {a'} for some a' £ Tg (more precisely, a' = \Tg\ + 1) — in other words, only one new 
agent suffices to witness satisfiability of 9 over CGFs involving agents not in Tg. This result, 
proved below, was first stated, with a proof sketch, for satisfiability in the more restricted (but 
equivalent with respect to satisfiability, see [13]) semantics based on "alternating transition 
systems", in [30] , 




Theorem 2.24 Let 9 be an ATL-formula, Tg C T, and a' £ Tg. Then, 9 is T-satisfiable iff 
9 is (Tg U {a'}) -satisfiable. 

Proof. Suppose, first, that 9 is S-satisfiable. Let M = (T, S, d, 5, AP, L) be a CGM and s G 5 
be a state such that M, s lh 9. To obtain a (Tg U {a'})-model Ai' for 9, first, let, for every 



• d' a (s) = d a (s) for every a £ Tg; 

• d' a ,(s) = irifeG(S-s e )^( s )l; 

then, define 5' in the following way: 5'(o£ e U a a >) = <5(o"e s U <te_s 9 ), where a a / is the place of 
(Ts-Ee in the lexicographic ordering of Ds_e 8 (s). Finally, put M.' = (Tg U {a'}, S, d' , 5' , AP, L). 




s G S: 
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Notice that the above definition immediately implies that out(s, o~a) is the same set in 
both M. and M! for every s £ S and every oa £ Da(s) with i C S^, and therefore, in both 
models, [((A)) 0](X) is the same set for every X C S 1 and every j4 C Eg. It can then be 
shown, by a routine induction on the structure of subformulae x °f using Theorem 12.191 
that M, s lh x iff s lh x f° r every s € S. 

Suppose, next, that 9 is (Eg U {a'})-satisfiable. Let M. be the model witnessing the 
satisfaction and let b be an arbitrary agent in E — Tq. To obtain a E-model A4' for 9, first, 
let, for every s £ 5: 

• (f a (s) = d a (s) for every a € Eg; 

• d' b {s) = d a ' s ); 

• = 1 for any 6' £ E \ ({6} U E e ); 

then, define 5' in the following way: S'(a^ g U C£-£ e ) = <5(o£ e U <r a /), where <r a / = <r&. Finally, 
put .M' = (S, 5, d', 5', AP, L). The rest of the argument is identical to the one for the opposite 
direction. □ 



Corollary 2.25 Let 9 be an ATL- formula. Then, 9 is generally satisfiable iff 9 is either 
tightly satisfiable or (Tq U {a'}) -satisfiable for any a' ^ Tq. 

Proof. Straightforward. □ 

Theorem 12.241 and Corollary 12.251 essentially mean that it suffices to consider two distinct 
notions of satisfiability for ATL-formulae: tight satisfiability and satisfiability in CGMs with 
one fresh agent, which we will henceforth refer to as loose satisfiability. 

2.5 Alternative semantic characterization of negated modal operators 

Under Definition 12. 141 truth conditions for negated modal operators, such as _i ((j4)) U, involve 
claims about the non-existence of moves or strategies. In [171 , an alternative semantic char- 
acterization of such formulae has been proposed; this alternative characterization involves 
claims about the existence of so-called in [IT] co-moves and co- strategies. 

Definition 2.26 Let s £ S and A C E. A co-^-move at state s is a function <t| : Da(s) *— > 
D(s) such that oa E ^(oa) for every oa £ Da(s). We denote the set of all co-A-moves at s 
by D%(s). 

Intuitively, given an ^4-move oa £ Da(s), which represents a collective action of agents in 
A, a co-A-move assigns to ox a "countermove" 0£\a of the complement coalition E \ A; taken 
together, these two moves produce a unique move vector oa U o%\a £ D(s). 

Definition 2.27 Let cr| £ D c A (s). The outcome of cr| at s, denoted by out(s,cr|), is the set 
U { 6(s, cr|(ox)) I oa £ Da(s)}. (Thus, out(s,aj[) is the range of 0%). 

We next define co-strategies, which are related to co-moves in the same way as strategies 
are related to moves. 
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Definition 2.28 Let A C £ be a coalition and 7 an ordinal such that 1 < 7 < us. A 7- 
recall co-j4-strategy is a mapping F c A Yf\ : [j i< n <i+75' n 1— ► U{^f( s ) I s £ suc/i i/tai 
F c a [ 7 ](k) G Z£(Z(«j) /or e^ery k G U i<n<i +7 S™. 

Note that the coalition following a co-A-strategy is S \ A. 

Remark 2.29 Given that 1 + u = ui, the condition of the Definition \2.28\ for the case of 
uj-recall strategies can be rephrased in a simpler form as follows: F c A [ui] : U i<n<uS n l—> 
U { D£(s) I s G S } such that F c a [lo](k) G D£(1(k)) for every k£\J i< n<u S n . 

Remark 2.30 A ^-recall co-strategy can be defined equivalently as a mapping from pairs 
(k G S n ; ^-recall strategy F A [y]) to the set of outcome states out(l(K) , FX[y](K)) . 

We will write F C A instead of i^fy] when 7 is understood from the context. 

Definition 2.31 Let -^^[7] be a ^-recall co- A- strategy. If j = ui, then F c A Yi\ is referred to 
as a perfect-recall co-A-strategy; otherwise, FaIi] is referred to as a bounded-recall co-j4- 
strategy. Furthermore, 2/7 = 1, then F c a[j] is referred to as a positional co-A-strategy. 

Definition 2.32 Let ^^[7] be a co- A- strategy. The outcome of i^py] at state s, denoted by 
out(s , F c a[~y]) , is the set of all s-runs X such that 

(7 C ) X[i + 1] G out(X\i],F c A (X[j,i])) holds for all i > 0, 
where j = m&x(i — 7 + 1,0). 

For positional co-strategies, condition (7°) reduces to 

(CP) X[i + 1] G out{X[i],F c A (X[i])), for all i > 0, 

whereas for perfect-recall co-strategies, it reduces to 

(CPR) A[» + 1] G out(X[i},F c A (X[0,i})), for all i > 0. 

Now, we can give alternative truth conditions for negated modalities, couched in terms of 
co-moves and co-strategies. 

Theorem 2.33 (Goranko, Drimmelen |17j ) Let M be a CGM and s G M. Then, 

1. A4,s II i((A))Oy iff there exists a co-A-move a A G D c A (s) such that A4,s' II up for 

every s' G out(s,o~£); 

2. A4,s II — <((A}Oip iff there exists a perfect recall co-A-strategy F c a such that, for every 
X G out(s,F c A ), there exists position i > with A4, X[i] II — «p; 

3. A4,s II — <((A}ipUip iff there exists a perfect recall co-A-strategy F C A such that, for every 
X G out(s,F c A ) and every position i > with A4,X[i] lh ip, there exists a position 
< j <i with M, X[j] lh -■(£. 

Remark 2.34 Since both types of strategies yield the same semantics for ATL, in the last 
two clauses of Theorem \2.33\ "perfect recall" can be replaced with "positional". 
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3 Hintikka structures for ATL 



When proving completeness of the tableau procedure described in the next section, we will 
make use of a new kind of semantic structures for ATL — namely, Hintikka structures. The 
basic difference between models and Hintikka structures is that while models specify the 
truth or otherwise of every formula of the language at every state, Hintikka structures only 
provide truth values of the formulae relevant to the evaluation of a fixed formula 6. Before 
defining Hintikka structures for ATL, which we, for the sake of terminological consistency, call 
concurrent game Hintikka structures, we introduce, with a view to simplifying the subsequent 
presentation, a- and /3-notation for ATL-formulae. 

3.1 a- and /3-notation for ATL 

We divide all ATL-formulae into primitive and non-primitive ones. 

Definition 3.1 Let ip be an ATL- formula. Then, ip is primitive if it is one of the following: 

• T; 

• p € AP; 

• f or some p £ AP; 

• ((A)) Oi/j for some formula ip; 

• ^((j4)) Oip for some formula ip and A ^ S. 
Otherwise, ip is non-primitive. 

Intuitively, <p is primitive if the truth of ip at a state s of a CGM cannot be reduced to 
the truth of any "semantically simpler" formulae at s; otherwise, (p is non-primitive. Note, in 
particular, that —>p is not considered "semantically simpler" then p, as the truth of the former 
can not be reduced to the truth, as opposed to the falsehood, of the latter. 

Following [27], we classify all non-primitive formulae into a-ones and /3-ones. Intuitively, 
a-formulae are "conjunctive" formulae: an a-formula is true at a state s iff two other for- 
mulae, "conjuncts" of a, denoted by a\ and c*2, are true at s. By contrast, /3-formulae are 
"disjunctive" formulae, true at a state s iff either of their "disjuncts", denoted by (3\ and /?2, 
is true at s. For neatness of classification, if the truth of a non-primitive formula ip at s can 
be reduced to the truth of only one simpler formula at s, then ip is treated as an a-formula; 
for such formulae, ot\ = ai- The following tables list a- and /^-formulae together with their 
respective "conjuncts" and "disjuncts". 



a 




OL2 


—i—iip 


f 


<P 


-i(tp -> ip) 




-nip 


-((E)) 


((0»O^ 




{A}n<p 


<P 


{A}0{A)n<p 
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ft 


P2 


-n((A))(<pW) 


~np 

1> 

-nip A -nip 
-nip 


<pAiA}0{{A}(<pUil>) 
^A^(A))0((A))(pUiP) 
-n((A))0((A))a l p 



The entries for the non-modal connectives in the above tables are motivated by the well- 
known classical validities. The entries for the strategic operators are motivated by Corol- 
lary [2J2QJ Lastly, it can be easily checked that M, s lb ->((£)) 0<p iff M, s lb ((l)O^ for 
every CGM M and s G M. 

3.2 Concurrent game Hintikka structures 

We are now ready to define concurrent game Hintikka structures (CGHSs, for short). Like 
concurrent game models, CGHSs are based on concurrent game frames, where different kinds 
of strategies may be used, ranging from positional to perfect-recall. As it will become evident 
from the forthcoming completeness proof, in the case of basic ATL, which we primarily focus 
on in this paper, it suffices to consider only positional Hintikka structures. Nevertheless, we 
consider, in this section, the most general case of CGHSs, based on perfect-recall strategiefl 

Definition 3.2 A (perfect-recall) concurrent game Hintikka structure (for short, CGHS) is 
a tuple TC = (£, S, d, 5, H), where 

• (£, S, d, 5) is a concurrent game frame; 

• H is a labeling of the elements of S with sets of ATL-formulae that satisfy the following 
constraints: 

HI If -up G H(s), then p <£ H(s); 

H2 if a G H(s), then ol\ G H(s) and «2 G H(s); 

H3 if0€ H(s), then fa G H(s) or (3 2 G H(s); 

H4 if ((A)) Op G H(s), then there exists an A-move o~a G Da(s) such that <p G H(s') 
for all s' G out(s, cja); 

H5 i/-i|i|Oi(3 G H(s), then there exists a co- A-move cr| G D c A (s) such that ^p G 
H(s') for all s' G out(s, cj|); 

H6 if ((AJfpUip G H(s), then there exists a perfect-recall A-strategy Fa such that, for all 
A G out(s,F\), there exists a position i > such that tp G H(\[i]) and p G H(X[j]) 
holds for all positions < j < i; 

H7 if -i((A))n</? G H(s), then there exists a perfect-recall co-A-strategy F c a such that, 
for every A G out(s, F c a), there exists position i > with -np G H(X[i]). 

Remark 3.3 To obtain the definition of positional CGHS, all one has to do is replace 
"perfect-recall" with "positional" in clauses (H6) and (H7) of Definition \3.3l 

4 Our reason for doing so is that we intend to consider, in a follow-up work, adaptations of the tableau 
procedure described herein to some important variations and extensions of ATL, such as ATL with incomplete 
information, ATL*, and Game Logic (.5 ]), where positional strategies only do not suffice; then, the results in 
this section will be put to full use. 
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Definition 3.4 Let 9 be an ATL-formula and H = (S, S, d, 5, H) be a CGHS. We say that 
TL is a concurrent game Hintikka structure for 9 if 9 G H (s) for some s G S. 

Hintikka structures can be thought of as representing a class of models on the set of states 
S that, for every s G S, agree on the formulae in H (s) (that is, make exactly the same formulae 
in H{s) true). Models themselves can be thought of as maximal Hintikka structures, whose 
states are labeled with maximally consistent sets of formulae. More precisely, given a CGM 
A4 = (£, S, d, 6, AP, L), we can define the extended labeling function by L^ v[ {s) = {if \ 
A4, s lh cp }, where tp ranges over all ATL-formulae, and the resulting structure (£, S, d, 5, Lj^) 
will be a Hintikka structure. This immediately gives rise to the following theorem. 

Theorem 3.5 Let 9 be an ATL-formula. Every CGM M = (£, S,d, 5, AP, L) satisfying 9 
induces a CGHS TL = (£, S, d, 8, Lj^) for 9, where L~^ is the extended labeling function on 
M. 

Proof. Straightforward, using Theorem 12.331 for (H5) and (H7). □ 

Conversely, every Hintikka structure for a formula 9 can be expanded to a maximal one — 
that is, a model — by declaring, for every s G S, all atomic propositions outside H(s) to be 
false at s. To prove this claim, however, we need a few auxiliary definitions. 

Definition 3.6 Let TL = (S, S,d,5, H) be a CGHS. A run of length m, where 1 < m < uj, 
in TL is a sequence A = sq, . . . , s m -i of elements of S such that, for all < i < m — 1, the 
state Sj+i is a successor of the state Si. Numbers through m — 1 are called positions of A. 
The length of X, defined as the number of positions in X, is denoted by \X\. For each position 
< i < m, we denote by X[i] the ith state of X. A finite run in TL is a run of length m for 
some m with 1 < m < uj. A finite run with A[0] = s is a finite s-run. 

Definition 3.7 Let TL be a CGHS, X be a finite s-run in TL, and F c A[m] be an m-recall co- 
A-strategy on the frame ofTL, where 1 < m < uj. We say that X is compliant with F^fm] 
if 

• |A| =m + l; 

• X[i + 1] G out(X[i},F c A [m](X[0,i})) holds for all < i < m. 

Definition 3.8 Let TL be a CGHS, let X be an (infinite) s-run in TL and let F c a be a perfect- 
recall co-A-strategy on the frame ofTL. We say that X is compliant with F\ if X G out{s, F c a). 

Theorem 3.9 Let 9 be an ATL-formula. Every CGHS TL = (E,S,d,S,H) for 9 can be 
expanded to a CGM satisfying 9. 

Proof. Let TL = (£, S, d, S, H) be a CGHS for 9. To obtain a CGM M = (S, 5, d, S, AP, L), 
we define the labeling function L as follows: L(s) = H(s) n AP, for every s€5. 

To establish the statement of the theorem, we prove, by induction on the structure of 
formula x that, for every s G S and every Xt the following claim holds: 

X G H (s) implies Ad, s lh x an d & H(s) implies A4, s II — <x- 
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Let x be some p G AP. Then, p G H(s) implies p G L(s) and, thus, A4, s lh p; if, on the other 
hand, ->p G H(s), then due to (HI), p ^ H(s) and thus p ^ L(s); hence, M., s II — >p. 

Assume that the claim holds for all subformulae of x) then, we have to prove that it holds 
for X, as well. 

Suppose that x is If "'V 9 £ H( s )> then the inductive hypothesis immediately gives us 
A4, s II — «p; if, on the other hand, -1-199 G H(s), then by virtue of (H2), 99 G H(s) and hence, 
by inductive hypothesis, Ai, s lh (/? and thus A4,s \\ — *-np. 

The cases of x = V 3 ~~ * V 7 an d X = ((^)) OV' and are straightforward, using (H2)-(H5). 

Suppose that x = {{A}tpUip. If {(A))(pUip £ H(s), then the desired conclusion immediately 
follows from (H6) and the inductive hypothesis. 

Assume now that ^([AJupUip G H(s). In view of the inductive hypothesis and Theo- 
rem 12.331 it suffices to show that there exists a perfect-recall co-^4-strategy F c a such that 
A G out(s, F c a) implies that, if there exists i > with tp G if (A[i]), then there exists < j < i 
with -up G H(X[j]). 

We define the required F c a by induction on the length of sequences in its domain. This 
amounts to defining finite prefixes of F c a for every 1 < n < lo — the restrictions of F°a to 
sequences of states of length < n. Clearly, the finite prefix of F c a of length n is an n-recall 
co-A-strategy. We only explicitly define the value of F c A[n](X), where |A| = n, if A is a finite 
s-run compliant with F c A[n — 1] (recall Definition 13. 7p . where .F5i[^ — 1] is a strategy defined at 
the previous step of the induction. The values of i ?< Ji[n](A) for any other sequences of length 
n are immaterial. The only other constraint that we have to take into account when defining 
F^[n] is that, if F^lN extends F^fm], then the values of F^[m] and -F'kfn] should agree on 
all the sequences of length m. Alongside defining -F5l[ re ] for every 1 < n < u>, we prove that 
the following invariant property holds: If A G out(s, F c A[n]), then 

(i) Either there exists a position < i < n, such that 
(t) G H(\[i}) and ^ G H(X[j]) for all < j < i, 

(ii) or -*/>, ->{A} O ((AjipUtp G H(X[i\) for all < i < n. 

Clearly, if every finite prefix of F c a satisfies (f), F c a is the required co-^4-strategy. 

We start by defining There is only one s-run of length 1, namely (s). As 

->((A}(pUi> G #(s),inview of(H3) and (H2), either -*/>,-«p G H(s) or ^,->((A}0 ((A}(pU^ G 
H(s). In the former case any co-j4-move will produce a co-A-strategy F5l[l] such that, if 
A G out(s, F c a[1]), then A satisfies (f) (i). In the latter case, (H5) guarantees that there exists 
a co-^4-move cr| G D A (s) such that -^((A}ifUip G H(s') for all s' G otrf(s,<7|). This, together 
with (H3) and (H2) guarantees that ->tp, ->{A} O ((A}<pUi(i G H(s') for every s' G out(8,o%), 
which, as —>tp G H(s), ensures that (f) (ii) holds for any A G out(s, F c a[1]). Thus, in either 
case, (f) holds for every A G out(s, F c a[1}). 

Next, inductively assume that, if A is an s-run compliant with _F^[n], then (f) holds for A. 
We need to show how to extend F^[n] to F c a[u + 1] D F5l[n] in the (jA-preserving way. If (f ) 
(i) holds for every A satisfying the condition of the inductive hypothesis, then obviously, any 
co-A-move will do. Otherwise, (f) (ii) holds for every such A; then, F^n-hl] can be obtained 
from .F5i[n] as in the second part of the "basis case" argument. For all other sequences k 
of length n + 1 (i.e., those that do not start with s or are not compliant with f^fn]), the 
value F c A[n](K) can be defined arbitrarily. For all sequences k of length < n, we stipulate 
F c A[n + 1](k) = F c A[n](n). This completes the definition of F c a\ti + 1]. As we have seen, if A 
is an s-run compliant with F c a[u + 1], then (j) holds for A. 
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The case of -> € H(s) is straightforward using (H7), while the case of {A))Oip £ 
H(s) can be proved in a way analogous to the case of ->((A s j)ipUtp, using suitable definitions 
of compliancy of (finite and infinite) runs with strategies. □ 

Theorems 13.51 and 13,91 taken together mean that, from the point of view of a single ATL- 
formula, satisfiability in a (perfect-recall) model and in a (perfect-recall) Hintikka structure 
are equivalent. 

4 Terminating tableaux for tight ATL-satisfiability 

In the current section, we present a tableau method for testing ATL-formulae for tight sat- 
isfiability. 

Traditionally, tableau techniques work by decomposing the formula whose satisfiability is 
being tested into "semantically simpler" formulae. In the classical propositional case (|27j). 
"semantically simpler" implies "smaller" , which by itself guarantees termination of the pro- 
cedure in a finite number of steps. Another feature of the tableau method for the classical 
propositional logic is that this decomposition into semantically simpler formulae results in a 
tree representing an exhaustive search for a model — or, to be more precise, a Hintikka set 
(the classical analogue of Hintikka structures) — for the input formula. If at least one branch 
of the tree produces a Hintikka set for the input formula, the search has succeeded and the 
formula is pronounced satisfiabl^E 

These two defining features of the classical tableau method do not emerge unscathed when 
the method is applied to logics containing fixpoint operators, such as ATL (in this respect, 
the case of ATL is similar to those of LTL and CTL). 

Firstly, decomposition of ATL-formulae into "semantically simpler" ones, which, just as 
in the classical case, is carried out by breaking up a- and /3-formulae into their respective 
"conjuncts" and "disjuncts," does not always produce smaller formulae, as can be seen from 
the tables given in section [37TT Therefore, we will have to take special precautions to ensure 
that the procedure terminates (in our case, as in [32], this will involve the use of the so-called 
prestates). 

Secondly, in the classical case the only reason why it might turn out to be impossible 
to produce a Hintikka set for the input formula is that every attempt to build such a set 
results in a collection of formulae containing a patent inconsistency (from here on, by patent 
inconsistency we mean a pair of formulas of the form ip, -x^jE In the case of ATL, there 
are two other reasons for a tableau not to correspond to any Hintikka structure for the 
input formula. First, applying decomposition rules to eventualities — formulae whose truth 
conditions require that some formula (ip in the case of the eventuality ((A^ipLhp, and —up in 
the case of the eventuality -i ((.A)) □</?) "eventually" becomes true; the tableau analog of this we 
will refer to as realization of an eventuality, — one can indefinitely postpone their realization 
by always choosing the "disjunct" (notice that both eventualities are /3-formulas) "promising" 
that the realization will happen further down the line, this "promise" never being fulfilled. 

5 Even though this tree is usually built step-by-step by decomposing one formula at a time (see [27] and 
[32]), it can be compressed into a simple tree — i.e., a tree with a single interior node — whose root is the set 
containing only the input formula and whose leaves are all minimal downward-saturated extensions (to be 
defined later on; see Definitions 14.11 and 14. 2[) of the root. We will use this, more compact, approach in our 
tableaux. 

6 Notice that this condition implies but is not, in general, equivalent to propositional inconsistency. 
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Therefore, in addition to not containing patent inconsistencies, "good" ATL tableaux should 
not contain sets with unrealized eventualities. Yet another reason for the resultant tableau 
not to represent a Hintikka structure is that some sets do not have all the successors they 
would be required to have in a corresponding Hintikka structure. 

Coming back to the realization of eventualities, it should be noted that, in a Hintikka 
structure for the input formula, all the eventualities belonging to the labels of its states have 
to be realized, and different eventualities can place different demands on the labels of states 
of a Hintikka structure. Fortunately, in the case of ATL (just like in those of LTL and CTL 
and unlike, for example, those of Parikh's game logic [25J and propositional /i-calculus |7J), 
eventualities can be "taken on" one at a time: we can ensure, and this lies at the heart of 
our completeness proof, that having realized eventualities one by one, we can then assemble a 
Hintikka structure out of the "building blocks" realizing single eventualities. This technique 
resembles the mosaic method used to prove decidability of a variety of modal and temporal 
logics (see, for example, [2Tj). 

4.1 Brief description of the tableau procedure 

In essence, the tableau procedure for testing an ATL-formula 9 for satisfiability is an attempt 
to construct a non-empty graph T d , called a tableau, representing all possible concurrent 
game Hintikka structures for 9. If the attempt is successful, 9 is pronounced satisfiable; 
otherwise, it is declared unsatisfiable. (As this whole section is exclusively concerned with 
tight satisfiability, whenever we use the word "satisfiable" or any derivative thereof, we mean 
the tight variety; another reason to keep the language generic is that — as we shall see later 
on — the basic ideas transfer smoothly over to other species of satisfiability). 

The tableau procedure consists of three major phases: construction phase, prestate elimi- 
nation phase, and state elimination phase. Accordingly, we have three types of tableau rules: 
construction rules, a prestate elimination rule, and state elimination rules. The procedure 
itself essentially specifies — apart from the starting point of the whole process — in what order 
and under what circumstances these rules should be applied. 

During the construction phase, the construction rules are used to produce a directed graph 
V — referred to as the pretableau for 9 — whose set of nodes properly contains the set of nodes 
of the tableau T s that we are ultimately building. Nodes of V 8 are sets of ATL-formulae, 
some of which — referred to as state jj| — are meant to represent states (whence the name) of 
a Hintikka structure, while others — referred to as prestates — fulfill a purely technical role of 
helping to keep V s finite. During the prestate elimination phase, we create a smaller graph 
out of V 6 — referred to as the initial tableau for 9 — by eliminating all the prestates of V e (and 
tweaking with its edges) since prestates have already fulfilled their function: as we are not 
going to add any more nodes to the graph built so far, the possibility of producing an infinite 
structure is no longer a concern. Lastly, during the state elimination phase, we remove from 
Tq all the states, if any, that cannot be satisfied in any CGHS, for one of the following three 
reasons: either they are inconsistent, or contain unrealizable eventualities, or do not have all 
the successors needed for their satisfaction. This results in a (possibly empty) subgraph T 
of Tq , called the final tableau for 9. Then, if we have some state A in T e containing 9, we 

7 From here on, the term "state" is used in two different meanings: as "state" of the (pre)tableaux — which 
is a set of ATL-formulas satisfying certain conditions, to be stated shortly, — and as a "state" of a semantic 
structure (frame, model, or Hintikka structure). Usually, the context will determine explicitly which of these 
we mean; when the context leaves room for ambiguity, we will explicitly mention what kind of states we mean. 
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pronounce satisfiable; otherwise, we declare unsatisfiable. 



4.2 Construction phase 

As already mentioned, at the construction phase, we build the pretableau V s — a directed 
graph whose nodes are sets of ATL-formulae, coming in two varieties: states and prestates. 
Intuitively, states are meant to represent states of CGHSs, while prestates are "embryo states" , 
which will in the course of the construction be "unwound" into states. Technically, states are 
downward saturated, while prestates do not have to be so. 

Definition 4.1 Let A be a set of ATL-formulae. We say that A is downward saturated if 
the following conditions are satisfied: 

• if a £ A, then ct\ € A and «2 € A; 

• if (3 e A, then ft G A or ft 6 A. 

Moreover, V e will contain two types of edge. As has already been mentioned, tableau 
techniques usually work by setting in motion an exhaustive search for a Hintikka structure for 
the input formula; one type of edge, depicted by unmarked double arrows =>, will represent 
this exhaustive search dimension of our tableaux. Exhaustive search looks for all possible 
alternatives, and in our tableaux the alternatives will arise when we unwind prestates into 
states; thus, when we draw an unmarked arrow from a prestate T to states A and A' (depicted 
as T ==> A and T A', respectively), this intuitively means that, in any CGHS, a state 
satisfying T has to satisfy at least one of A and A'. 

Another type of edge represents transitions in CGHSs effected by move vectors. Ac- 
cordingly, this type of edge will be represented in pretableaux by single arrows marked with 
| Eel-tuples ex of numbers, each number intuitively representing an a-move for some a G Eg. 
Intuitively, we think of these |E#|-tuples as move vectors. Thus, if we draw an arrow marked 
by a from a state A to a prestate T (depicted as A — —> V), this intuitively means that, in 
any CGHS represented by the tableau we are building, from a state satisfying A we can move 
along a to a state satisfying T. 

It should be noted that, in the pretableau, we never create in one go full-fledged successors 
for states, which is to say we never draw a marked arrow from state to state; such arrows 
always go from states to prestates. On the other hand, unmarked arrows connect prestates 
to states. Thus, the whole construction of the pretableau alternates between going from 
prestates to states along edges represented by double unmarked arrows and going from states 
to prestates along the edges represented by single arrows marked by "move vectors". This 
cycle has, however, to start somewhere. 

The tableau procedure for testing satisfiability of starts off with the creation of a single 
prestate {0}. Thereafter, a pair of construction rules are applied to the part of the pretableau 
created thus far: one of the rules, (SR), specifies how to unwind prestates into states; the 
other, (Next), — how to obtain "successor" prestates from states. To state (SR), we need 
the following definition. 

Definition 4.2 Let T and A be sets of ATL-formulae. We say that A is a minimal down- 
ward saturated extension of T if the following holds: 



• T C A: 
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• A is downward saturated; 

• there is no downward saturated set A' such that T C A' C A. 

Note that T can be a minimal downward saturated extension of itself. 
We now state the first construction rule. 

(SR) Given a prestate T, do the following: 

1. add to the pretableau all the minimal downward saturated extensions A of T as states; 

2. for each of the so obtained states A, if A does not contain any formulae of the form 
({A} Otp or ->{A}0(p, add the formula fS e ))OT to A; 

3. for each state A obtained at steps 1 and 2, put T ==> A; 

4. if, however, the pretableau already contains a state A' that coincides with A, do not 
create another copy of A', but only put T A'. 

We denote the finite set of states that have outgoing edges from a prestate T by states(r). 
These include genuinely "new" states created by applying of (SR) to T as well as the states 
that had already been in the pretableau and got identified with a state that would otherwise 
have been created by applying (SR) to T. 

Example 1 As a running example illustrating our tableau procedure, we will be constructing 
a tableau for the formula 0\ = -i((l))Dp A ((1,2)) Op A -| ((2}) O^p. The construction of the 
tableau for this formula starts off with the creation of a prestate T\ = {-i((l))Dp A ((1, 2}} Op A 
-i((2)) O^p}. Next, (SR) is applied to T\, which produces two states, which we call, for future 
reference, Ai and A2 (in the diagram below, as well as in the following examples, we omit 
the customary set-theoretic curly brackets around states and prestates of the (pre)tableaux): 

(ri) -«i»n P A (1, 2}Op a -.(2)0-* = 0i 

/ \ 

r Al ) 0i,-«l»ap,<(l,2)}O, fA a1 0i,-«l»n P ,«l,2))Op, 
^«2»0-P,-«i»0«i»np -(2)Op,-p 

In general, if at least one subformula of a non-primitive member of a prestate r is a (3- 
formula, V will have more than one minimal downward saturated extension; hence, for such 
a T, the set states(r) will contain more than one state. The only exception to this general 
rule may occur when we come across /3-formulae for which (3\ = fo, such as (99 — > -199). 

We now turn to our second construction rule, (Next), which creates "successor" prestates 
from states. The rule has to ensure that a sufficient supply of successor prestates is created 
to enforce the truth of all "next-time formulae" (see below) at the current state. Unlike the 
case of logics whose models are sets of states connected by edges of binary relations, such 
as LTL and CTL, in ATL successor prestates cannot be created by simply removing the 
"next-time" modality from a formula and creating an edge associated with that formula. On 
the contrary, in ATL, transitions are effected by move vectors, with which we, then, associate 
formulae made true by actions of agents making up that particular move vector. Thus, the 
rule (Next) needs to provide each agent mentioned in the input formula with a sufficient 
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number of actions available at the current state, and then "populate" prestates associated 
each resultant move vector a with appropriate formulae. 

Before formally introducing the rule, we provide some intuition behind it. The rule is 
applicable to a state, say A; more precisely, it is applicable to the formulae of the form 
((-A))0<£> — which we refer to as positive next-time formulae — and -i((A})0^, where A ^ £ — 
which we refer to as proper negative next-time formulae — belonging to A. Positive and proper 
negative next-time formulae are referred to collectively as next-time formulae. These formulae 
are arranged in a list L and, thus, numbered; all the positive formulae in L precede all the 
negative ones; otherwise, the ordering is immaterial. The agents mentioned in the input 
formula 9 can be thought of as having to decide which formulae from A appearing under the 
"next-time" coalition modalities ((. ..))0 and ->((... ))0 should be included into a successor 
prestate associated with each move vector a (inclusion into a prestate intuitively corresponds 
to satisfiability in the successor states of a Hintikka structure, as prestates eventually get 
unwound into tableau states). Therefore, the number of "actions" each agent mentioned in 
9 is given at A equals the number of the next-time formulae in A (= length of L). These 
actions are combined into "move vectors" a leading to successor prestates. The inclusion of 
formulae into the prestate r CT created as a successor of A by an arrow labeled with a is then 
decided as follows. A formula <p for which i[A^Oip € L is included into T a , if every agent 
in A "votes" in a for this formula (i.e. every ith slot in a with i G A contains the number 
representing the position of ((^4)} Oip in L). On the other hand, ->ip for which -<{A} Otp G L 
is included into T a (for technical reasons, at most one such formula can be included into any 
prestate) if every agent not in A votes, in the sense explained above for the positive case, for a 
negative formula from L (not necessarily _| ((^4)) OVO and, moreover, _, ((^4)) Oip is the formula 
decided on by the collective (negative) vote of agents in £ \ A. Technically, this collective 
vote is represented by the number neg(cr), which is computed using all negative votes of a, 
which allows it to represent a truly collective decision. 

We now turn to the technical presentation of (Next). The rule does not apply to the 
states containing patent inconsistencies since such states, obviously, cannot be part of any 
CGHS (so, we are not wasting time creating "junk" that will have to be removed anyway). 

(Next) Given a state A such that for no x we have x, —<x G A, do the following: 

1. Order linearly all positive and proper negative next-time formulae of A in such a way 
that all the positive next-time formulae precede all the negative ones; suppose the result 
is the list 

L = (A )) Oo, • • • , {Am-l} OVm-l, -K)) O^o. ■ ■ ■ . -iillOil. 

(Note that, due to step 2 of (SR), L is always non-empty.) Let r& = m + I; denote 
by D(A) the set {0, . . . ,ta - l}' Ee '; lastly, for every <tG D(A), denote by N(a) the set 
{i | o~i>m}, where oi stands for the ith component of the tuple a, and by neg(c) the 
number Ei e jv(<^(^ ~ m )] mod l - 

2. Consider the elements of D (A) in the lexicographic order and for each a £ D(A) do 
the following: 

(a) Create a prestate 

r<r = { | {A p } O ip p G A and a a = p for all a G A p } 

U { -*l> q | -n((4)> O V 9 e A, neg(o) = q, and - A' q C N(o) }; 
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put F a := {T} if the sets on both sides of the union sign above are empty, 
(b) Connect A to T a with — 

If, however, T a = T for some prestate F that has already been added to the pretableau, 
only connect A to T with 

We denote the finite set of prestates { T | A — ^> T for some a € D(A) } by prestates(A) . 
Note that a state A may get connected to some T € prestates(A) by arrows labeled by 
distinct a,a' £ D(A). In such cases, we "glue together" arrows labeled by a and a', in effect 
creating an arrow marked by a set of labels rather than a label (in examples below, in such 
cases, we attach several labels to a single arrow). 

Example 1 (continued) Let us apply the (Next) rule to the state 
Ai = {6>i,^((l))Dp, ((l,2))Op,->((2))0-'P,->((l))0((l))np} from our running example. We 
arrange all the positive and proper negative next-time formulae of this state in the list L = 
((1, 2)) Op, _| ((2)) O —>p, O Then, at A±, each of the two agents from 9\ is going to 

have 3 actions, denoted by numbers 0, 1, and 2. To decide what formulae are to be included 
in the prestates resulting from tuples of those actions, we also need to separately number all 
the negative next-time formulae from L: ->((2)) O^p will be numbered 0, while ->((1)) 0((l))Dp 
will be numbered 1 (neg(a) in the table below will refer to these numbers). The following table 
illustrates which formulae are included into prestates associated with what move vectors at A: 



a 


neg(o) 


formulae 


0,0 





V 


0,1 





T 


0,2 


1 


-n(i)n P 


1,0 





— 1— ip 


1,1 







1,2 


1 


-n(l>D P 


2,0 


1 


T 


2,1 


1 


-n(i)n P 


2,2 





— 1— ip 



In the table above, it so happens that only one formula is included into each prestate; in 
general, however, this does not have to be the case. Based on the above table, by applying 
(Next) to A±, we produce the following set of its prestate successors: 

(A , -«l»Dp,«l,2»Op, 

(Al M<2»0-P,-«l>}0«l>}n P 




-i(l))Dp p -i-ip T 

Remark 4.3 Technically, (Next) ensures that every T a £ prestates(A) satisfies the follow- 
ing properties: 

• if {((Ai)) Oifi, {{AjjOipj} C A and ipj} C T a , then Ai n Aj = 0; 

• T a contains at most one formula of the form such that _, ((^4)) Of £ A, since the 
number neg(cr) is uniquely determined for every a£ D(A); 

• if {((AijQipi, -<((A')) Oip} C A and ^} C T a , iften A { C A' . 
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Note that there is a connection between the above properties and the basic properties 
of "next-time" coalition modalities, such as monotonicity and superadditivity (see [22], |24j . 

The construction phase, starting with a single prestate {9}, consists of alternately applying 
the rule (SR) to the prestates created as a result of the last application of (Next) (or, if we 
are at the beginning of the whole construction, to {9}) and applying (Next) to the states 
created as a result of the last application of (SR). This cycle continues until any application 
of (Next) does not produce any new prestates; after adding the relevant arrows, if any, the 
construction stage is over. As we show in the next subsection, this is bound to happen in a 
finite number of steps — more precisely, in the number of steps exponential in the length of 9. 

Example 1 (continued) Here is a complete pretableau for the formula 9\ = ->{(l))Dp A 
«l,2))OpA-«2))0-?>: 

-.(l)Op A (1, 2) Op A -(2) O-P = 0i 

/ \ 

0i,-<l)Dp, (1,2) Op, 6>i, (1,2) Op, 

^«2» O-P, -<(1» O (l)Dp -«2» O-P, -TP 




Example 2 For yet another demonstration of our procedure, let us build a pretableau for the 
formula 9 2 = (l))0^q A ({2))pUq: 

(l)n-.gA«2)pWg = ft, 

X \ 

02, (l>n-9, (2}pUq, ^q, 02, (lja^q, {2))pUq, 

«1)> O (l)D-9, P, (2» O «2»p Uq 0,0 ^ qAl)) O (1) q 
(l)n-.3,-.?\ (2} P Uq,p, (2)pUq,q, (l}a^q,^q, ' W^p,,' T,ll,2)OT 

«i}>0((i)>n-g\«2}>0({2»pWg (l,2»OT fi»o(i»n-g, (l)0(i»n-5, 

\. {{2}pUq,q {2)) P Uq,p, 
^- (2) O «2»p Wg 

4.3 Termination and complexity of the construction phase 

To prove that the construction phase eventually terminates and to estimate its complexity, 
we use the concept of the extended closure of an ATL-formula. 

Definition 4.4 Let 9 be an ATL-formula. The closure of 9, denoted by c\(9), is the least set 
of formulae such that 

• 9 € cl(0); 
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• cl(6>) is closed under subformulae; 

• if {(A)) (cp Kip) G cl(0), then tp A ((A)) O ((A)){ipU^) G cl(6>); 

• »/ - ((A)) {if Kip) € cl (9) , then ^ A -.p, -.^ A - ((A)) O ((A)) (99 Z#) G cl (0) ; 

• i/ ((A)) □¥> € cl(0), i/ien ^ A ((A)) O ((A)) □ <p G cl((9). 

Definition 4.5 Lei 6e an ATL-formula. The extended closure of 6*, denoted by ecl(0) ; is 

i/ie least set of formulae such that 

• if ip G cl(6*), i/ien G ecl(0); 

• z/-((£40 G cl(0), t/ien ((0))O-(^ G ecl(0); 

• T G ecl(0); 

• (E))OT G ecl(0). 

We denote the cardinality of ec\(8) by | eel (6*) | and the length of a formula by \9\. When 
calculating the length of a formula, we assume that every agent's name counts as one symbol 
and that a pair of coalition braces is "lumped together" as one symbol with the temporal 
operator that follows it; thus, |((1, 2)) Op\ = 4. 

Lemma 4.6 Let 9 be a ATL-formula. Then, ecl(0) is finite; more precisely, |ecl(0)| G 0(|0|) ; 
i.e, |ecl(0)| < c • \9\ for some c > 1. 

Proof. Straightforward. □ 

To simplify notation, let us denote \9\ by n and \T,g\ by k; let also c be the constant from the 
statement of the preceding lemma. While building the pretableau V 8 , we create 0(2 cn ) states 
and 0(2 cn ) prestates. To create a state, we need no more than O(cn) steps, thus the creation 
of all the states takes not more than 0(cn x 2 cn ) steps. For a given state A, to create all the 
prestates in prestates(A), we first produce a T a associated with a given a G D(A), which 
costs 0(cn) steps, and then check whether it is identical to a prestate created earlier, which 
takes 0((cn) 2 x 2 cn ) steps. As there are, all in all, 0((cn) k ) move vectors in D(A), the whole 
procedure of creating prestates from a given state costs 0((cn) k x (cn+(cn) 2 x 2 cn )). Applying 
this procedure to all 0(2 cn ) states, i.e, creating all prestates can thus be done in 0(2 cn x 
(cn) k x (cn + (cn) 2 x 2 cn ) = 0(2^ k+l ^ lo s( cn )+ cn + 2( fc + 2 ) lo s( cn )+ 2cn ) = 0(2^ k+2 ^> lo g( c ™)+ 2cra ). As 
this clearly dominates the complexity of creating states, the cost of the construction phase as 
a whole is 0(2 { - k+2 ^°^ +2cn ). 

4.4 Prestate elimination phase 

At the second phase of the tableau procedure, we remove from V s all the prestates and all 
the unmarked arrows, by applying the following rule: 

(PR) For every prestate T in V e , do the following: 
1. remove T from V 9 ; 
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2. for all states A in V e with A -^-> T and all A' € states(r), put A A'. 

We call the graph obtained by applying (PR) to V 9 the initial tableau, which we denote 
by T®. Note that if in V 9 we have A — — ► T and states(r) contains more than one state, then 
in Tq there is going to be more than one edge labeled with agoing out of A. 

Example 1 (continued) Here is the initial tableau Tq 1 for the formula 6± = — i (( 1 }) Dp A 

((1, 2)) Op A _| ((2)) O^p (as before, some states are named for future reference): 

(AO fc,-.(l)np,(l,2)Op, (A a )fl 1 ,-,(i)np,(i,2>Op, 

-n(2>0-P,-(l>0 (!>□!« -«2»0-P,-P 




17ms, our procedure for the formula -i((l))Dp A ((1, 2)) Op A ->((2)) O^p creates 7 states. 
For the sake of comparison with the top-down tableau procedure from \3U^ . we estimate how 
many states would be created using that procedure. As the running time of both procedures is 
roughly proportional to the number of states created, this should give us an idea as to how the 
two procedures compare in practice. 

While we use the concept of extended closure of a formula for metatheoretical purposes 
(to prove termination and estimate complexity, see Section \4-3\ ), the top-down tableaux-like 
decision procedure from [30] uses it essentially. Technically speaking, the procedure from [30] 
creates not states, but "types" — maximal, propositionally consistent, saturated subsets of the 
extended closure of the input formula. So, we estimate how many types the tableau procedure 
from ]30^ would create for the formula -i((l))Dp A ((1, 2)) Op A -| ((2)) O^p. To that end, we fist 
enumerate positive formulas of the extended closure for this formula: 

(1) -«l))Dp A ((1, 2)) Op A -((2)) Op, 

(2) -«l))DpA«l,2»Op 3 

(3) «2))0-p, 

(4) «1»°P, 

(5) «l»0«l)>Qp, 

(6) ((1,2)) Op, 

(V v. 

For every formula from the above list, each type contains either that formula or its nega- 
tion. However, not every such combination is allowed, as there are dependencies between 
formulae as to their presence in a type. 

First, if (1) is in a type, then that type must contain (2), _, (4) and (6); so, there 

are 2 2 distinct types containing formula (1). Second, if —>{!) and -| (2) are in a type, then 
we have two cases: if the type contains (4), then it contains (5), generating 2 3 types; and if 
the type ~>(G), then it contains _, (4), generating 2 3 more types. Lastly, if and (2) are 
in a type, then (3), ~i(4), and (6) are also in the type, generating 2 2 types. Thus, all in all, 
the top-down tableau procedure from f3(J\] creates 24 types, as opposed to 7 states created by 
incremental tableaux. 
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Example 2 (continued) Here is the initial tableau T Q 2 for the formula 62 = ([l])0^q A 
((2})pWg (as in the previous example, some states are named for future reference): 



Again, for the sake of comparison with tableaux form [30], we estimate the number of types 
created by those tableaux; a calculation similar to the one from the previous example shows 
that 36 types are created by the top-down tableau-like procedure, as opposed to 8 states created 
by the incremental tableau procedure. 

We briefly remark on the time required for this second phase. Once again, to simplify 
notation, let us denote \9\ by n. Recall that |ecl(0)| G 0(|#|), i.e, |ecl(#)| = c • \9\ for some 
c > 1. To remove a single prestate, we need to delete from the memory its 0(cn) formulae 
and redirect at most 0(2 cn x 2 cn ) edges — having identified set-theoretically equal states as 
part of the application of (Next) and having "glued together" arrows having the same source 
and target, we do not have, at this stage, to deal with 0(cn k ) outgoing edges for each state. 
Hence, the removal of a single prestate can be done in 0(2 2cn ) steps. As there are at most 
0(2 cn ) prestates, the whole procedure takes C(2 3cn ) steps. 

4.5 State elimination phase 

During the state elimination phase, we remove those nodes of T that cannot be satisfied in 
any CGHS. As already mentioned, there are three reasons why a state A of T ° can turn out 
to be unsatisfiable in any CGHS. First, A may contain a patent inconsistency. Secondly, 
satisfiability of A may require that at least one state from a set of tableau states X is satisfiable 
as a successor of the state sa of a CGHS presumably satisfying A, while all states of X turn 
out to be unsatisfiable sets. Thirdly, A may contain an eventuality that is not realized in the 
tableau; that this implies unsatisfiability of A is much less obvious than in the preceding two 
cases — in fact, a major task within the soundness proof for our procedure is to establish that 
this is indeed so. Accordingly, we have three elimination rules, (E1)-(E3), each taking care 
of eliminating states of Tq on one of the above-mentioned counts. 

Technically, the elimination phase is divided into stages; at stage n + 1, we remove from 
the tableau T® obtained at the previous stage exactly one state, by applying one of the 
elimination rules, thus obtaining the tableau T^ +i . We now state the rules governing the 
process. The set of states of tableau 7^ is denoted by S^. 

The rationale for the first rule is obvious. 



As states are downward-saturated, this is tantamount to saying that A contains a propositional inconsis- 
tency, even though in general these two concepts are not identical, as noted earlier. 




(El) If {ip, -up} C A € Sf^, then obtain T® +1 by eliminating A from 7^ 
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The rationale behind the second rule is also intuitively clear: if A is to be satisfiable, then 
for each a G D(A) there should exists a satisfiable A' with A — — > A'. If all such A's have 
been eliminated because they are unsatisfiable, then A is itself unsatisfiable. 

(E2) If, for some a G D(A), all states A' with A — —> A' have been eliminated at earlier 
stages, then obtain 7^ +1 by eliminating A from 

To formulate (E3), we need the concepts of realization of an eventuality in a tableau. 
To define that concept, we need some auxiliary notation. Let A G Sq, and let {(A))0(p be 
the p-ih formula in the linear ordering of the next-time formulae of A induced as part of 
application of (Next) to A; let, finally, O ip be the q-ih formula in the same ordering. 

Then, we use the following notation: 

D(A, (A)) Of) := { ae D(A) \ a a = p for every a G A}; 
D(A,^{{A'))Oip) :={a(£D(A) | neg(o) = q and S e \ A' C N(a) }. 

Intuitively, D(A,x) corresponds to an A-move (if x = f^lOy) or a co-^4-move (if x = 
-i((^4')) Otp) witnessing the "satisfaction" of x at state A (recall that ^4-moves and co-A-moves 
can be identified with equivalence classes on the set of move vectors) . 

We now recursively define what it means for an eventuality of the form ((AJ)<pUifj to be 
realized at a state A of tableau T%. 

Definition 4.7 (Realization of eventuality ((A}ipUip) 

1. If{i/>, ({A}(pUi/>} CAeSf, then ((AjipUip is realized at A in T°; 

2. If {ip, ((A)) O {(A}ipUip, ((A}ip Uip} C A and for every a G D(A, ((A)) O ({A}(pUip), there 
exists A' G such that 

• A A' and 

• ({A}ipUtp is realized at A' inT®, 
then ((A}ipUif) is realized at A in . 

The definition of realization for eventualities of the form ^((A}Oip is analogous: 

Definition 4.8 (Realization of eventuality -i((_A))Dy>) 

1. If {^<f,^((A))a<f} CAeSf, then ^((A))a<p is realized at A in T°; 

2. If (A)) O ((A)) Dtp, ^ ((A)) a^} c A and, for every a G D(A, ->{A} O ((A))n<p) there 
exists A' G such that 

• A A' and 

• is realized at A' in T® , 
then is realized at A inT®. 
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We can now state our third elimination rule. 

(E3) If A € contains an eventuality that is not realized at A in TJ* , then obtain T® +1 
by removing A from Tj*. 

While implementation of the rules (El) and (E2) is straightforward, implementation of 
(E3) is less so. It can be done by computing the set of states realizing a given eventuality 
£ in tableau 7^f, say, by marking those states that realize £ in T®. To formally describe the 
procedure, we need some extra notation. 

First, given AeS^ and a€ D(A), we denote by succ CT (A) the set { A' € S e n | A A' }. 
Secondly, given a formula x, we write, abusing set-theoretic notation, \ G Tj- to mean that 
X G A for some A G S*. 

We now describe the marking procedure for T® with respect to eventuality £. We first 
do so for eventualities of the form {{AJ)(pUip. Initially, we mark A if ip G A. Afterwards, we 
repeat the following computation for every A £ 5f that is still unmarked: mark A if, for 
every a G D(A, ({A} O ((A}ipUip), there exists at least one A' such that A' G succ^A) and 
A' is marked. The procedure is over when no more states can get marked. 

The procedure for computing eventualities of the form is similar. Initially, we 

mark A if -up G A. Afterwards, we repeat the following computation for every A £ that 
is still unmarked: mark A if, for every a G D(A, ~^((A} O ((-A)) there exists at least one 
A' such that A' G succ^A) and A' is marked. The procedure is over when no more states 
can get marked. 

Lemma 4.9 Let A G and £ G T^f be an eventuality. Then, £ is realized at A inT® iff A 
is marked in T® with respect to £. 

Proof. Straightforward. □ 

Thus, the application of (E3) in tableau with respect to eventuality £ consists of 
carrying out the marking procedure with respect to £ and then removing all the states that 
contain £, but have not been marked with respect to £. 

We have thus far described individual rules and how they can be implemented. To describe 
the state elimination phase as a whole, it is crucial to specify the order of application of those 
rules. 

First, we apply (El) to all the states of it is clear that, once it is done, we do not 
need to go back to (El) again. The cases of (E2) and (E3) are slightly more involved. 
Having applied (E3) to the states of the tableau, we could have removed, for some A, all 
the states accessible from it along the arrows marked by some a G D(A); hence, we need to 
reapply (E2) to the resultant tableau to get rid of such A's. Conversely, having applied (E2), 
we could have removed some states that were instrumental in realizing certain eventualities; 
hence, having applied (E2), we need to reapply (E3). Furthermore, we cannot stop the 
procedure unless we have checked that all eventualities are realized. Thus, what we need is 
to apply (E3) and (E2) in a dovetailed sequence that cycles through all the eventualities. 
More precisely, we arrange all the eventualities occurring in the tableau obtained from Tq 
by having applied (El) to Tq in the list £1, . . . ,£ m - Then, we proceed in cycles. Each cycle 
consists of alternatingly applying (E3) to the pending eventuality, and then applying (E2) 
to the tableau resulting from that application, until all the eventualities have been dealt with; 
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once we reach £ m , we loop back to £1. The cycles are repeated until, having gone through the 
whole cycle, we have not had to remove any states. 

Once that happens, the state elimination phase is over. The resultant graph we call the 
final tableau for 9 and denote by T 9 . 

Definition 4.10 The final tableau T 9 is open i/9 € A for some A € S 9 ; otherwise, T 9 is 
closed. 

The tableau procedure returns "no" if the final tableau is closed; otherwise, it returns 
"yes" and, moreover, provides sufficient information for producing a finite model satisfying 8; 
that construction is described in section 15.21 

Example 1 (continued) Consider the initial tableau for our formula 9\ . First, no states of 
that tableau contain patent inconsistencies. Moreover, all four states containing the eventual- 
ity — i (( 1 )) □ (which is the only eventuality in the tableau) get marked with respect to 
Indeed, A2 and A4 get marked since they contain Ai get marked since all the relevant 
move vectors (i.e, those for which neg(er) = 1 and agent 2 votes negatively; there are 3 such 
move vectors: (0, 2), (1, 2), (2, 1)) lead to a state A4 that is marked; finally A3 is marked as 
the only move vector going out of that state leads to a marked state, A4. Lastly, all the states 
have all the required successors. Therefore, no state of the initial tableau gets eliminated, 
hence, the final tableau T® 1 coincides with the initial tableau Tq 1 . Thus, T® 1 is open (it con- 
tains two states, Ai and A2, containing 6\); therefore, 6\ = A ((1, 2)) Op A ->((2)) O^p 
is satisfiable. 

Example 2 (continued) Consider the initial tableau for the formula 62. We have to elim- 
inate state A' 2 due to (El), as it contains a patent inconsistency. For the same reason, we 
have to eliminate A 3 . Furthermore, state A 4 gets eliminated due to (E3) since it contains 
an eventuality ({2])pUq, but does not get marked with respect to it, as the only consistent 
state reachable from A 4 along the "relevant" move vector (0, 1), which is A 4 itself, does not 
contain q. Then, A\ has to be eliminated, as both states reachable form it along the move 
vector (0,1) have been eliminated. Thus, all the states containing the input formula, namely 
A'i and A' 2 , are eliminated from the tableau. Therefore, the final tableau for 62 is closed and, 
hence, 62 = ((1)) □— >g A ((2}pUq is unsatisfiable. 

4.6 Incremental tableaux for CTL 

The branching-time logic CTL can be regarded as the one-agent version of ATL, where ((0)) 
is the universal path quantifier and ((1)) is the existential path quantifier. Thus, after due 
simplifications (notably, of the rule (Next)), our tableau method produces an incremental 
tableau procedure for CTL, which is practically more efficient (in the average case) than 
Emerson and Halpern's top-down tableau from [9]. 

4.7 Complexity of the procedure 

We now estimate the complexity of the tableau procedure described above. As before, let 
n = \9\, k = |Sfl|, and let c be the constant from the equation |ecl(#)| = c • \9\ (recall 
Lemma 14. 6p . 
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As we have seen, the costs of the construction phase and of the prestate elimination 
phase are, respectively, e>(2( fc + 2 ) lo g( c ™)+ 2c ") an d 0(2 3cn ) steps. It, thus, remains to estimate 
the time required for the state elimination phase. During that phase, we first apply (El) 
to every state of the initial tableau. To do that, we need to go through 0(2 cn ) states, 
and for each formula (p of each state A check whether —up € A; this can be done in time 
0{2 cn x (cn) 2 ) = e>(2 21 °g(cn)+ C n)_ 

Next, we embark on the sequence of dovetailed applications of (E3) and (E2). We do 
it in cycles, whose number is bounded by C(2 cn ), each cycle involving going through all 
the eventualities, whose number is bounded by 0{cn). For each eventuality £, we have to, 
first, run the marking procedure with respect to £ and then remove, as prescribed by (E3), 
all the relevant unmarked states; then, we apply the procedure implementing (E2). The 
latter procedure can be carried out in 0(2 cn x (cn k + cn)) = 0(2 klo ^ +n + 2 lo §( cn )+ cn ) = 
£)(2 fclog ( cn ) +n ) steps, as we should go through 0(2 cn ) states, doing the check for 0((cn) k ) 
moves marking outgoing arrows, and possibly deleting 0(cn) formulas of the state. Since 
k < n, the cost of applying (E2) is bounded by 0{2 nlo ^ cn ^ +n ) = 0(2«( lo gM+l)) steps. As 
for the former, we need to compute the set of states realizing £ in , which can be done in 
0(2 fclo §( cn )+ 3cn ) steps, as we do at most 0(2 cn ) "global" status updates, each time updating 
the status for at most O(2 on ) states, each of these updates requiring looking at 0((cn) k ) 
possible moves, which as several outgoing arrows can be marked with the same move, can be 
repeated at most 0{2 cn ) times. (For simplicity, we disregard the cost of applying deleting 
states with unrealized eventualities, as its complexity, 0(2 cn x cn), is clearly dominated by the 
complexity of the marking procedure.) Thus, the whole sequence of dovetailed applications 
of (E2) and (E3) requires 0((2 cn x cn) x (2 fek «( cn ) +n + 2 fclk «( cn ) +3cn )) = 0(2( fc + 1 ) lo g( c ")+ 4cri ). 

Thus, the overall complexity of our tableau procedure is 0{2 i - k+2 ^°^ cn ^ +2cn ) + 0(2 3cn ) + 
( 2 (k+l)i g(cn)+4eny Ag k < this expression is bounded by 0(2 n lo s n+5cn ) = 0(2 2nlo ^ n ) = 
0(2 2 W l0 ^ e \). This upper bound appears to be better than the one claimed in [30] for the top- 
down tableaux developed therein (namely, 0(2™ )); a more careful analysis reveals, however, 
that the upper bound for tableaux from [30] is within 0(2 2nl °g n ), too. 

5 Soundness and completeness 

We now prove that the tableau procedure described above is sound and complete with respect 
to ATL semantics as defined in section 12.21 in algorithmic terminology, we show that the 
procedure is correct. 

5.1 Soundness 

Technically, soundness of a tableau procedure amounts to claiming that if the input formula 
9 is satisfiable, then the final tableau T e is open. 

Before going into the technical details, we give an informal outline of the proof. The 
tableau procedure for the input formula 9 starts off with creating a single prestate {9}. Then, 
we unwind {9} into states, each of which contains 9. To establish soundness, it suffices to 
show that at least one these states survives to the end of the procedure and is, thus, part of 
a final tableau. 

We start out by showing (Lemma 15.11) that if a prestate T is satisfiable, then at least 
one state created from T using (SR) is also satisfiable. In particular, it ensures that if 9 is 
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satisfiable, then so is at least one state obtained by (SR.) form {#}. To ensure soundness, it 
is enough to show that this state never gets eliminated from the tableau. 

To that end, we first show (Lemma 15. 2|) that, given a satisfiable state A, all the prestates 
created from A by (Next) — each of which is associated with a move vector, say a — are 
satisfiable; according to Lemma 15-H each of these prestates will give rise to at least one 
satisfiable state. It follows that, if a tableau state A is satisfiable, then for every move vector 
a at A, in the initial tableau, A will have at least one satisfiable successor reachable by an 
arrow marked with a; hence, if A is satisfiable, it will not be eliminated on account of (E2). 
Lastly, we show that no satisfiable states contain unrealized eventualities (in the sense of 
Definitions 14.71 and I4.8p . and thus cannot be removed from the tableau on account of (E3). 
Thus, we show that a satisfiable state of the pretableau cannot be removed on account of 
any of the state elimination rules and, therefore, survives to the end of the procedure. In 
particular, this means that at least one state obtained from the initial prestate 9, and thus 
containing 9, survives to the end of the procedure — hence, the final tableau for 9 is open, as 
desired. 

We start with the lemma that essentially asserts that the "state-creation" component of 
our tableaux preserves satisfiability. 

Lemma 5.1 Let T be a prestate ofV e and let Ai, s lh T for some CGM Ai and some s£M. 
Then, Ai,s lh A holds for at least one A 6 states(T). 

Proof. Straightforward (see a remark at the end of section [3TT1 though). □ 

The next lemma shows that (Next) creates from satisfiable states satisfiable prestates 
(to see this, compare the condition of the lemma with Remark 14.3ft . 

Lemma 5.2 Let 3> = {((^4i)) Ofi, ■ ■ ■ , iA m J) Of m , _, ((^4')) Oip} be a set of formulae such that 
Ai n Aj = for every 1 < i, j < m and Ai C A 1 for every 1 < i < m. Let Ai,s lh <3? for some 
CGM Ai and s £ Ai. Let, furthermore, aj^ £ Da^s) be an Ai-move witnessing the truth of 
((Aj)) Oifi at s, for each 1 < i < m, and let, finally, a^, G D^,{s) be a co-A' -move witnessing 
the truth of ^([A')) Oip at s. Then, there exists s' £ out(s, q^) D ... fl out(s, cJ4 m ) n out(s, cr|,) 
such that Ai, s' lh {(pi, . . . , (p m , ->i/j}. 

Proof. As A{ n Aj = for every 1 < i, j < m and Ai C A 1 for every 1 < i < m, all the moves 
oa % , where 1 < % < m, can be "fused" into a move o~Ai u ... u A m ■ Then, the application of the 
co-move a^, to any extension of ga 1 u . . . u A m to a move of the coalition T,q\A' D A\ U ... U A m 
produces a move vector a such that s' = 5(s,a) satisfies both properties from the statement 
of the lemma. □ 

The preceding two lemmas show that from satisfiable (pre)states we produce satisfiable 
(pre)states. This, in particular, implies two things: first, at least one of the states containing 
the input formula 9 is satisfiable and, second, satisfiable states never get eliminated due to 
(E2). It is also clear that a satisfiable state can not contain a propositional inconsistency 
and thus be removed due to (El). 

Therefore, all that remains to show is that (E3) does not eliminate from tableaux satisfi- 
able states. To that end, we will need some extra definitions and pieces of notations drawing 
analogies between what happens in CGMs and tableaux (Definition 15.31 through Notational 
convention 15.50 . 
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In what follows, we treat labels of the arrows of the tableaux as move vectors; the concepts 
of ^4-move, and all the concomitant definitions and notation are then used in exactly the same 
way as for CGFs (see section [2.2.1|) ; analogously for co-A-moves (see section , We only 
explicitly mention what notion (i.e., the one relating to the semantics of ATL or to tableaux) 
is referred to if the context leaves room for ambiguity. The only notion that differs between 
ATL-semantics and the ATL-tableaux is that of "outcome" of (CGF vs. tableau) moves and 
co-moves. Unlike the former, the latter are generally not unique, as there might be several 
outgoing arrows from a state A labeled with the same "move vector" a. We, however, define 
an outcome set of a tableau ^4-move ga to contain exactly one state obtained from A by 
following a given ga to make them resemble outcomes of ^4-moves in CGFs. 

Definition 5.3 Let A G S Q n and ga G Da(A). An outcome set of ga at A is a minimal set 
of states X C such that, for every g □ ga, there exists exactly one A' G X such that 
A A'. 

Outcome sets for tableau co-moves are defined analogously: 

Definition 5.4 Let A G S® t and g^ G D A (A). An outcome set of cr| at A is a minimal set 
of states X C such that, for every ga G Da(A), there exists exactly one A' G X such that 

A^A'. 

Notational convention 5.5 

1. Whenever we write {A p } Oip p G A G S^, we mean that ([A p } 0(p p is the p-th formula 
in the linear ordering of the next-time formulae of A induced as part of applying the 
(Next) rule to A. We use the notation -i((^4'}) Oip q G A G Sf^ in an analogous way. 

2. Given {A p } 0(f p G A G S^, by ga p [{A p } 0(f p ] we denote (the unique) tableau A p -move 
ga p G Da v {A) such that ga v {o) = p for every a G A p . 

3. Given a proper -i^A^} Oyj q G A G S n , by g^i [->((A' q } Oifiq] we denote (the unique) 
tableau co-A' q -move satisfying the following condition: neg(cr| ; {ga 1 )) = Q and — A' q C 
N(G^(G A ' q )) for every G A < q G D A < q {A). 

We now get down to proving that (E3) does not eliminate any satisfiable states. We need 
to show that if a tableau contains a state A that is satisfiable and contains an eventuality £, 
then £ is realized at A. This will be accomplished by showing that 7^ "contains" a structure 
(more precisely, a tree) that, in a sense to be made precise, "witnesses" the realization of £ 
at A in T®. This tree will, in a sense to be made precise, emulate a tree of runs effected by 
a strategy or co-strategy that "realizes" an eventuality in a model. This simulation is going 
to be carried out step-by-step, each step, i.e. ^4-move (in the case of ((A))ipUip) or co-A-move 
(in the case of ^([AJ)Oip) will be simulated by a tableau move or co-move associated with a 
respective eventuality. That this step-by-step simulation can be done is proved in the next 
two lemmas (together with their corollaries). 

Lemma 5.6 Let ((A p ))Cxp p eAeSj and let M, s lh A for some CGM M and state s G Ai. 
Let, furthermore, ga v G Da p (s) be an A p -move witnessing the truth of ({A p )) 0(f p at s. Then, 
there exists in T® an outcome set X of ga p [^A p )) Of p ] such that for each A' G X there exists 
s' G out(s,GA p ) such that Ai,s' lh A'. 
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Proof. Consider the set of prestates Y = { T G prestates(A) | A — ► T for some a □ 
<ja p [((A p } Oipp] }. Take an arbitrary T G Y. It follows immediately from the (Next) rule (see 
Remark 14. 3D that T (which must contain ip p ) is either of the form {(pi, . . . , (/? m , where 

{((A 1 ))0 Vl , (A m ))0 Vm , ->(A')Oip} C A 

satisfies the condition of Lemma l5T2l or of the form {(pi, . . . , c/? m }, where 

{{(Ai}0<px, {A m }0<p m } C A 

and n = for every 1 < i,j < m. 

As .M,s Ih A, in the former case, by Lemma 15.21 there exists s' G out(s,o~A p ) with 
A4, s' Ih r. Then T can be extended to a downward saturated set A' containing at least one 
next-time formula (((£#)) OT if nothing else) such that A4, s' Ih A'. This is done by choosing, 
for every /^-formula to be dealt with, the "disjunct" that is actually true in M. at s' (if both 
"disjuncts" happen to be true at s', the choice is arbitrary). 

In the latter case, the same conclusion follows from Lemma [5.21 again, by adding to A the 
valid formula -i((Eq))0-L. 

To complete the proof of the lemma, take X to be the set of all tableau states A' obtain- 
able from the prestates in Y in the way described above. □ 

Corollary 5.7 Let (A p ))Oip p G A G S e n and let M,s Ih A for some CGM M and state 
s G M.. Let, furthermore, oa v G Da p (s) be an A p -move witnessing the truth of ({A p ))Otp p 
at s and let \ S eel (6*) be a ^-formula, whose Pi-associate (i G {1,2},) is \i- Then, there 
exists in T® an outcome set X Xi of oa p [{(A p ]) O tp p ] such that for every A' G X Xi there exists 
s' G out(s,aA p ) such that Ai,s' Ih A', and moreover, if M,s' Ih Xi; then x-i G A'. 

Proof. Construct X Xi in a way X was constructed in the proof of the preceding lemma, 
with a single modification: when dealing with the formula x> instead of choosing arbitrarily 
between xi an d X2, choose Xi whenever it is true at s' . □ 

Lemma 5.8 Let ->((A' q )) Oip g G A G S e n and let M,s Ih A for some CGM M. and state 
s G M. Let, furthermore, <r|; G D^, (s) be a co-A' q -move witnessing the truth of Oip q 

at s. Then, there exists in T® an outcome set X ofa^, [ _, ((^4g)) OV'g] such that for each A' £ X 
there exists s' G out(s, ct|, ) such that A4, s' Ih A'. 

Proof. Consider the set of prestates Y = { T G prestates(A) [ A — > r, a = a\, [-^((A' q )} 0^ q ](aA' q ) 
for some oa> G Dal ( A) }. Take an arbitrary T GY. It follows immediately from the (Next) 
rule (see Remark l4*3p that T (which must contain ^ip q ) is either of the form {(fi, . . . , cp m , ^ipq}, 
where 

{((A 1 ))Oi Pl , ((A m ))Oip m , -^({A' q ))OiP q } C A 

satisfies the condition of Lemma 15.21 or of the form 

As A4,s Ih A, in the former case, by Lemma 15.21 there exists s' G out(s,a9,) with 

i 

A4, s' Ih r. Then T can be extended to a downward saturated set A' containing at least one 
next-time formula (((£#)) OT if nothing else) such that A4, s' Ih A'. This is done by choosing, 
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for every /3-formula to be dealt with, the "disjunct" that is actually true in M. at s' (if both 
"disjuncts" are true, choose arbitrarily). 

In the latter case, the same conclusion follows from Lemma l5. 21 again, by adding to A the 
valid formula «0»OT. 

To complete the proof of the lemma, take X to be the set of all tableau states A' obtain- 
able from the prestates in Y in the way described above. □ 



Corollary 5.9 Let ->{A' q } Oip q eAeSj and let M,s lh A for some CGM M and state 
s G M.. Let, furthermore, <r|, G D£, (s) be a co-A' q -move witnessing the truth of -i((A^)) O i/j q 
at s and let x £ eel (6*) be a (3 -formula, whose Pi-associate (i G {1,2},) is \i- Then, there 
exists in T® an outcome set X Xi of erJJ, {-<{A f q }} Oi[) q ] such that for every A' G X Xi there exists 
s' G out(s,o~A> ) such that A4,s' lh A', and moreover, if A4,s' lh Xi> then \i € A'. 

Proof. Analogous to the proof of Corollary 15.71 □ 

We now show that the tableau moves (for eventualities of the form ((A^pUif)) and co-moves 
(for eventualities of the form -i((A.))Dy>) whose existence was established in the preceding 
two lemmas can be stitched together into what we call eventuality realization witness treeqj. 
Theses trees, as already mentioned, simulate trees of runs effected in models by (co-)strategies. 
It will then follow that the existence of such a tree for a state A means that it cannot be 
removed from a tableau due to (E3). 

Definition 5.10 Let TZ = (R, — >) be a tree and X be a non-empty set. An X-coloring oflZ 
is a mapping c : R i— > X . When such mapping is fixed, we say that TZ is X-colored. 

Definition 5.11 A realization witness tree for the eventuality ((A^ipUip at state A G is 
a finite S^-colored tree TZ = (R, — >) such that 

1. the root ofTZ is colored with A; 

2. if an interior node ofTZ is colored with A', then {<p, ((.A)) O ({A^ipUip, (lAj)(pUij)} C A'; 

3. for every interior node wofTZ colored with A', the children of w are colored bijectively 
with the states from an outcome set of o~a [((A)) O ((A)) ipLd/j] G Djy(A'); 

4- if a leaf ofTZ is colored with A', then {ip, ({AJiLpUip} C A'. 

Definition 5.12 A realization witness tree for the eventuality -i((A))D</? at state A G is 
a finite S^-colored tree TZ = (R, — >) such that 

1. the root ofTZ is colored with A; 

2. if an interior node ofTZ is colored with A', then {-i((A)) O ((A)) ((A)) Oip} C A'; 

3. for every interior node wofTZ colored with A', the children of w are colored bijectively 
with the states from an outcome set of o~% [—> (( A.)) 0((A))n</3]; 

9 In the context of this paper, by a tree we mean any directed, connected, and acyclic graph, each node of 
which, except one, the root, has exactly one incoming edge. 
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4- if a leaf ofTZ is colored with A', then {—np,—i([A]/Oip} C A'. 

Lemma 5.13 Let 1Z = {R,—*) be a realization witness tree for an eventuality £ at A G S^. 
Then, £ is realized in T® at every A' coloring a node of R — in particular, at A in T® . 

Proof. Straightforward induction on the length of the longest path from a node colored by A' 
to a leaf of 1Z (recall that realization of eventualities was defined in Definitions 14. 71 and I4.8P . □ 

We now prove the existance of realization witness trees for satisfiable states of tableaux 
containing eventualities. 

Lemma 5.14 Let £ G A be an eventuality formula and A G S® be satisfiable. Then there 
exists a realization witness tree 1Z = (R, — >) for £ at A G S®. Moreover, every A' coloring a 
node of R is satisfiable. 

Proof. We only supply the full proof for eventualities of the form ([AJupUtp; we then indicate 
how to obtain the proof for eventualities of the form -i((A))Dc/9. 

If tp G A, then we are done straight off — the realization witness tree is made up of a single 
node, the root, colored with A. Hence, we only need to consider the case when tp ^ A. As A 
is downward saturated, then {ip, ([A} O ((A))ipUtp} C A. 

So, suppose that _A/[,s lh A; in particular, M.,s lh (p and M.,s lh ((A)) O {(A}ipUip. The 
latter means that there exists oa G Da(s) such that s' G out{s,OA) implies A4,s' lh ((A))(pUtp. 
Now, ([A} O ({A}) (pUip is a positive next-time formula. Since A is satisfiable, it does not 
contain a patent inconsistency; hence, the (Next) rule has been applied to it. As part of that 
application, ((A)) O ((A))y> Utp has been assigned a place, say p, in the linear ordering of the 
next-time formulae of A. Furthermore, {(AJ)ipUtp is a /3-formula whose is tp. Therefore, 
Corollary [521 is applicable to A, % = {(A}(pUip, xi = ((A)) O ({A}ipUtp, and \2 = ip- According 
to that corollary, there exists an outcome set of ^[((A)) O ((A))</? Uip] at A such that, for 
every A' G X^, there exists s' G out(s, cta) such that Ai, s' lh A' and, moreover, if A4, s' lh tp, 
then ip G A'. We start building the witness tree 7Z by constructing a simple tree (i.e., one 
with a single interior node, the root) whose root r is colored with A and whose leaves are 
colored, in the way prescribed by Definition 15. 11\ by the states from X^. 

Next, since A4,s' lh ({A}(pUip for every s' G out(s,aA), it follows that for every such s' 
there exists a (perfect-recall) A-strategy such that for every A G out(s', ) there exists 
i > with .M,A[i] lh ip and A4,X[j] lh ip holds for all < j < i. Then, playing oa followed 
by playing FJ for the s' G out{s,OA) "chosen" by the counter-coalition Eg \ A constitutes a 
(perfect-recall) strategy Fa witnessing the truth of {(A}ipUip at s. 

We, then, continue the construction of 1Z as follows. For every s' G out(s, o~a) (each such 
s' has been matched by a node of 1Z at the initial stage of the construction of 7Z) , we follow 
the (perfect-recall) strategy F£ , matching every state s" appearing as part of a run compliant 
with Fj[ and satisfying the requirement that A4, s" )¥- ip with a node w" of 7Z and matching 
every A-move of F£ at s" with the A-move in the tableau oa[((A} O ((A}ipUip] G ZAa(A") 
for the state A" coloring the node w" . In this way, we follow each F£ along each run, up 
to the point when we reach a state t where tp is true; at that point we reach the leaf of the 
respective branch of the tree we are building, as by construction, the node associated with t 
will be colored with a state containing both tp and ({AJjipUtp. 

In the manner outlined above, we are guaranteed to build a tree satisfying all conditions 
of Definition 15.111 Indeed, the very way the tree is built guarantees that conditions (1-4) of 
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that definition hold. As for finiteness, assuming that the resultant tree is infinite implies that 
it contains an infinite branch colored with sets not containing ip, which in turn implies the 
existence of A G out(s, FX) such that for every i > we have A4, X[i] II — <ip, which contradicts 
the fact that Fa is a strategy witnessing the truth of ((A))ipUip at s. 

Thus, we have obtained a realization witness tree 1Z for ((A^ipUip at A in T^. Moreover, 
it is clear from the way this tree has been built that every state coloring a node of 1Z is 
satisfiable (in A4). 

The proof for eventualities of the form -i((^4))D(/? is completely analogous, with reference 
to Corollary 15.91 rather than Corollary 15.71 using the fact that -i((j4 ))□</? is a 0- formula, with 
0i = -«p and 02 = - (A) O (A)) U<p. □ 

Theorem 5.15 (Soundness) If 9 is satisfiable, then T e is open. 

Proof. We will prove that no satisfiable states are eliminated in the state elimination phase 
of the construction of the tableau. The statement of the lemma will then follow immediately 
from Lemma l5.lt which implies that if the initial prestate {8} is satisfiable, then at least one 
state of T 9 containing 6 is also satisfiable. 

As the elimination process proceeds in stages, we will prove by induction on the number 
n of stages that, for every A G Sg, if A is satisfiable, then A will not be eliminated at stage 
n. 

The base case is trivial: when n = 0, no eliminations have yet been done, hence no 
satisfiable A has been eliminated. 

Now inductively assume that, if A' G Sq is satisfiable, it has not been eliminated during 
the previous n stages of the elimination phase, and thus A' G S^. Consider stage n + 1 and a 
satisfiable A G Sq. By inductive hypothesis, A £ Sf. We will now show that no elimination 
rule allows elimination of A from T®] hence, A will remain in T® +1 . 

(El) As A is satisfiable, it clearly cannot contain both (p and —«p; therefore, it cannot be 
eliminated from T® due to (El). 

(E2) Due to the form of the (Next)-rule (see Remark I4.3p . it immediately follows from 
Lemma 15.21 that if A is satisfiable, then all the prestates in prestates(A) are satisfiable, 
too. By virtue of Lemma 15.11 contains for every a G D(A) at least one satisfiable A' 
with A — — > A'. By the inductive hypothesis, all such A' belong to T®; thus, A can not be 
eliminated from due to (E2). 

(E3) We need to show that if A is satisfiable and contains an eventuality £, then £ is 
realized at A in T®. 

According to Lemma l5.14( there exists a realization witness tree 1Z = (i?, — ►) for £ at A 
in 7q and every A' coloring a node of R is satisfiable. Therefore, by inductive hypothesis, 
each such A' belongs to S^. Then, it is clear from the construction of 1Z in the proof of 
Lemma |5.14|, that TZ will still be a realization witness tree for A in Tjf. Then, by virtue of 
Lemma l5.13( £ is realized at A in T^, hence cannot be eliminated due to (E3). □ 

5.2 Completeness 

Completeness of a tableau procedure means that if the final tableau for the input formula 
6 is open, than 9 is satisfiable. The completeness proof presented in this section boils down 
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to building a Hintikka structure Tig for the input formula 6 out of the open tableau T . 
Theorem 13.91 then guarantees the existence of a model for 0. 

Our construction of a Hintikka structure Tig for 6 out of T e is going to resemble building 
a house, when bricks are assembled into prefab blocks that are then assembled into walls that 
are finally assembled into a complete structure. We will use analogues of all of those in our 
producing a Hintikka structure for 0. Larger and larger components of our construction will 
satisfy more and more conditions required by Definition 13.21 so that by the end, we are going 
to get a fully-hedged Hintikka structure. 

The "bricks" of Tie are going to be the states of T e . Being downward-saturated sets 
containing no patent inconsistencies (otherwise, they would have been eliminated due to 
(El)), they satisfy conditions (H1)-(H3) of Definition E2J 

The "prefab blocks" are going to be locally consistent simple T e -trees, which it is our next 
task to define. Intuitively, these trees are one-step components of the Hintikka structure we 
are building. 

Definition 5.16 Let W = (W,~>) be a tree and Y be a non-empty set. A y-labeling of W 

is a mapping I from the set of edges of W to the set of non-empty subsets ofY. When such 
mapping is fixed, we say that W is labeled by Y. 

Definition 5.17 A tree W = (W,~») is a T e -tree if the following conditions hold: 

• W is S® -colored (recall Definition 1 5. 1 0\) . by some coloring mapping c; 

• W is labeled by U^ gS e-D(A), by some labeling mapping I; 

• l(w w') C D(A) for every w € W with c(w) = A. 

Definition 5.18 A T 6 '-tree W = (W, ~») is locally consistent if the following condition holds: 

For every interior node w G W with c(w) = A and every A-successor A' G S e , 
there exists exactly one w' G W such that l(w ~» w') = { a \ A — — > A' }. 

That is, a locally consistent tree can not have two distinct successors w' = c(A') and 
w" = c(A") of an interior node w = c(A) such that { a \ A — —> A'} = {a \ A — — > A"}. 
Note that we label edges of T -trees with sets of move vectors as each edge in a tableau can 
be marked by more than one move vector. 

Definition 5.19 A tree W = (W,~») is simple if it has no interior nodes other than the 
root. 

Locally consistent simple T^-trees will be our building blocks for the construction of a 
Hintikka structure from an open tableau T e . Essentially, we are extracting from tableaux 
one-step structures that resemble CGMs in that every interior node of these structures has 
exactly one outcome state associated with a given move vector. In other words, while an open 
tableau encodes all possible Hintikka structures for the input formula, we are extracting only 
one of them, by choosing the outcome states associated with move vectors at each state out 
of possibly several such outcomes. 

We now prove the existence of locally consistent simple T e -trees associated with each 
state A. 
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Definition 5.20 Let A G S° . A T b -tree W is rooted at A if the root of W is colored with 
A, i.e., c(r) = A, where r is the root ofW. 

Lemma 5.21 Let A G S e . Then, there exists a locally consistent simple T 6 '-tree rooted at A. 

Proof. Such a tree can be built as follows: consider all successor states A' of A in T e . With 
each of them is associated a non-empty set of "move vectors" { a | A — —> A' }. The T^-tree 
will then consist of a root r colored with A and a leaf associated with each such set of move 
vectors, colored with any of the successor states A' with which this particular set of moves 
is associated (note that, in general, a tableau can contain more than one such A'); the edge 
between the root r and a leaf t is then labeled by the set of moves { (T | A — U c(t)}. Note 
that, by construction of the tableau, different successor states A' of A are reachable from A 
by pairwise disjoint sets of moves. □ 

The next lemma essentially asserts that, in addition to conditions (H1)-(H3), locally 
consistent simple T^-trees also satisfy conditions (H4)-(H5) of Definition [321 where outcomes 
of A-moves and co- A-moves are defined for such trees as for CGFs; recall that edges of these 
trees are labeled with sets of move vectors. Thus, locally consistent simple T e -trees are closely 
approximating Hintikka structures, but so far only locally. 

Lemma 5.22 Let S be a locally consistent simple T 9 -tree rooted at A. Then, the following 
hold: 

1. If ((A)) Oip G A = c(w), then there exists an A-move &a £ Da{w) such that cp G A' for 
all A' = c(w') G out(A,aA). 

2. J/-i((A)) Oip G A = c(w), then there exists a co-A-move <r| G D c A {w) such that ^ip G A' 
for all A' = c(w') G out(A, erf). 

Proof. Note that every A G S e is not patently inconsistent. Therefore, we can assume 
throughout the proof that all next-time formulae of A have been linearly ordered as part of 
applying the (Next) rule to A. 

(1) Suppose that ((A)) Ov? £ A. Then the required A-move is o>i[((A)) Oip] (recall Nota- 
tional convention 15. 5p . Indeed, it immediately follows from the rule (Next) that for every 
£>"□ a A [(A))0(p] in the pretableau V 9 , if A T then tp G T. Now, in T e we have A A' 
only if in V 9 we had A — —> T for some T C A'. Therefore, ip G A' for every A' in any outcome 
set of px[((A)) 0<p>] at A, and the statement of the lemma follows. 

(2) Suppose that -■((A)) Oip G A. We have two cases to consider. 

Case 1: A 7^ Y,q. Therefore, there exists b G T,g \ A and, furthermore, "■((A)) Oip occupies 
some place, say q, in the linear ordering of the next-time formulae of A. Consider an arbitrary 

OA G Da(A). We claim that oa can be extended to a' □ a A such that A — > A' and ^ip G A' 
for some A'. To show that, denote by N(cta) the set { i \ ga{i) > rn }, where m is the number 
of positive next-time formulae in A', and by neg(cx) the number ^ieiY^jfeW — 

mod /, where / is the number of negative next-time formulae in A. Now, consider a' □ aA 
defined as follows: o£ = ((q — neg^)) mod I) + m and a', = m for any a' G Y>q \ (A U {b}). 
It is easy to see that \ A C N(a'), and moreover, that neg(c') = (neg(ox) + (q — neg(<7A))) 

mod I = q. We conclude that in the pretableau V 8 , if A — > T, then ^ip G T. But, S contains 
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at least one leaf colored with such A' that A — > A', and this A' was obtained by extending 

a r with A — > T; hence, —up G A', and the statement of the lemma follows. 

Case 2: A = Eg. Then, by virtue of (H2), (QjO^ip G A and thus, by the rule (Next), 
-199 G r for every T G prestates(A). Then, -199 G A' for every A' that is a successor of A in 
T and hence in the coloring set of every leaf of S. Then, the (unique) co-S^-move, which is 
an identity function, has the required properties. □ 

Now, we come to the "walls" of our building — the components of the future Hintikka struc- 
ture that take care of single eventualities. Following [17], we call them final tree components. 
Each final tree component is built around a realization witness tree for the corresponding 
eventuality (recall Definitions 15.111 and I5.12|) , the existence of which is proved in the forth- 
coming lemma. 

Lemma 5.23 Let £ be an eventuality realized at A in T®. Then, there exists a realization 
witness tree TZ for £ at A in T® . 

Proof. To build TZ, we use the concept of the realization rank of A in Tj~ with respect 
to an eventuality £, which we define as the shortest path from A to a state witnessing the 
realization of £ at A (if £ = (lAJjiplAip, such a state contains ip; if £ = -i((A))dy>, then such 
a state contains -up) and denoted by rank(A, £, T®)- ^ such a path does not exists, then 
rank(A,£, T®) = 00. Clearly, if £ is realized at A in 7^f, then rank(A, £, T® ) is finite. 

Suppose, first, that £ is of the form {(A}(pUip. We start building TZ by taking a root 
node and coloring it with A. Afterwards, for every w' G TZ colored with A', we do the 
following: for every crZI a A [((A)) O ((A))tpUip] G D(A'), we pick the A" G succ^A') with the 
least rank(A", ({A))(pUip,T®) and add to TZ a child w" of w' colored with A". As {{A))(pUip 
is realized at A, it follows that rank(A, (lA^tpUip, 7~®) is finite. By construction of TZ and 
definition of the rank, each child of every node of the so constructed tree has a smaller 
realization rank than the parent. Therefore, along each branch of the tree we are bound to 
reach in a finite number of steps a node colored with a state whose realization rank with 
respect to {(A}(pUif) is 0; such nodes are taken to be the leaves of TZ. As every node of TZ 
has finitely many children, due to Konig's lemma, TZ is finite. Therefore, so constructed TZ is 
indeed a realization witness tree for ((A])ipUip at A in T®. 

Suppose, next, that £ is of the form -i((A))dy>. Again, we begin by taking a root node 
and coloring it with A. Afterwards, for every w' G TZ colored with A', we do the following: 
for every a = cr£[-i((A)) O (A))D(p}(a A ) G D(A'), we pick the A" G succ^A') with the least 
rank(A",^(( J 4))D(^,7; e ) and add to TZ a child w" of w' colored with A". The rest of the 
argument is analogous to the one for the other eventuality. □ 

Now, we are going to use realization witness trees to build T^-trees doing the same job 
for eventualities as realization witness trees do, i.e., "realizing" them in a certain sense. The 
problem with realization witness trees is that their nodes might lack successors along some 
"move vectors"; the next definition and lemma show that this shortcoming can be easily 
remedied, by giving each interior node A of a realization witness tree a successor associated 
with every move vector a G A. 
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Definition 5.24 Let W = (W,~>) be a locally consistent T -tree rooted at A and £ G A be 

an eventuality formula. We say that W realizes £ if there exists a subtre^\ of W rooted 
at A such that TZ^ is a realization witness tree for £ at A in T e . 

Lemma 5.25 Let £ G A G S e be an eventuality formula. Then, there exist a finite locally 
consistent T 6 '-tree rooted at A realizing £. 

Proof. Take the realization witness tree for £ at A in T 8 , which exists by Lemma 15. 231 
The only reason why may turn out not to be a locally consistent T e -tree is that some of 
its interior nodes do not have a successor node along every move vector a (recall that, in real- 
ization witness trees, every interior node has just enough successors to witness realization of 
the corresponding eventuality, and no more). Therefore, to build a locally consistent T e -tree 
out of 7^£, we simply add to its interior nodes just enough "colored" successors so that (1) 
for every interior node w' of and every a G D(w'), the tree contains a w" such that 
c(w") = A" for some A" G succ CT (A') (where A' = c{w')) and (2) satisfies the condition 
of Definition 15.181 It is then obvious that is a locally consistent T e -tree, by definition 
realizing £. Moreover, as according to Lemma 15.231 is finite, is finite, too. □ 

We want to build Hintikka structures our of locally consistent T -trees. Hintikka struc- 
tures are based on CGFs; therefore, we need to be able to "embed" such trees into CGFs. 
The following definition formally defines such an embedding. 

Definition 5.26 Let W = be a locally consistent T 6 '-tree and $ = (T,g,S,d,5) be a 

CGF. We say that W is contained in denoted W <C if the following conditions hold: 

• W C S; 

• if a£ l(w ~> w'), then w' = 5(w,a). 

Locally consistent T e -trees realizing an eventuality £ are meant to represent run trees in 
CGMs effected by (co-)strategies. We now show that if we embed the former variety of tree 
into a CGM then, as expected, this gives rise to a positional (co-)strategy witnessing the 
truth of £ under an "appropriate valuation" . (Intuitively, this (co-)strategy is extracted out 
of a locally consistent T^-tree when it is embedded into a CGF and can, thus, be viewed as a 
run tree). The following two lemmas prove this for two types of eventualities we have in the 
language. 

Lemma 5.27 Let, ((A}cpUip G A G S e and let W = (W,~>) be a locally consistent T 6 -tree 
rooted at A and realizing (lA^cpUtp. Let, furthermore, $ = (Ylg,S,d,5) be a CGF such that 
>V < J. Then, there exists a positional A-strategy FX in ^ such that, if X £ out(w,F\), where 
c(w) = A, then there exists i > such that ip G X[i] G W and if G X\j] G W holds for all 
< j < i. 

Proof. At every node w' of the realization witness tree for ((AJjipUip, which is contained 
in W, take the A-move px[((-A)) O {(A))(p Uip] G Da(w'). At any other node, for definiteness' 
sake, take the lexicographically first A-move. This strategy is clearly positional and has the 
required property. □ 



By a subtree, we mean a graph obtained from a tree by removing some of its nodes together with all the 
nodes reachable from them. 
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Lemma 5.28 Let, -^((A))Dip G A G S e and let W = (W,~*) be a locally consistent T e -tree 
rooted at A and realizing -i((vl})ny>. Let, furthermore, $ = (Eg, S,d,5) be a CGF such that 
W <^.$. Then, there exists a positional co- A- strategy F c a in $ such that, if A G out(w,F c A), 
where c(w) = A, then ~^ip G X[i] G W for every i > 0. 

Proof. At every node w' of the realization witness tree for which is contained in W, 

take the co-A-move a^l^iA)} O G Da(w'). At any other node, for definiteness' sake, 

take the lexicographically first co-A-move. This co-j4-strategy is clearly positional and has 
the required property. □ 

Our next big step in the completeness proof is to assemble locally consistent T^-trees 
realizing eventualities as well as locally consistent simple T 9 -trees into a Hintikka structure 
for 9. To do that, we need the concept of partial concurrent game frame that generalizes that 
of CGF. Partial CGFs are different from CGFs in that they have "deadlocked" states, i.e., 
states for which the transition function 6 is not defined (the analog in Kripke frames would 
be "dead ends" — the nodes that cannot "see" any other node); however, each deadlocked 
state of a partial CGF is an image of a transition function 5 for some (ordinary) state. We 
need partial CGFs as we will be building a Hintikka structure for 9 step-by-step, all but the 
final step producing partial CGFs having deadlocked states that will be given successors at 
the next stage of the construction. Put another way, the motivation for introducing partial 
CGFs is that locally consistent T^-trees are partial CGFs, and we want to build a Hintikka 
structure for 9 out of such trees. 

Definition 5.29 A partial concurrent game frame (partial CGF, for short) is a tuple & = 
(E, S,Q,d,5), where 

• E is a finite, non-empty set of agents; 

• S ^ is a set of states; 

• Q C S is a set of deadlock states; 

• d is a function assigning to every a S E and every s € S\Q a natural number d a (s) > 1 
of moves available to agent a at state s; notation D a (s) and D(s) has the same meaning 
as in the case of CGFs (see Definition \2.2\) : 

• 5 is a transition function satisfying the following requirements: 

— 5(s,a) G 5 for every s G S \Q and every a € D(s); 

— for every q G Q, there exist s G S \Q and a G D(s) such that q = 5(s, a). 

The concept of ^4-move is defined for partial CGFs in a way analogous to the way it is 
defined for CGFs; the only difference is that, in the former case, A-moves are only defined 
for states in S \ Q. The set of all A- moves at state s G S \ Q is denoted by Da{s). Outcomes 
of ^4-moves are defined exactly as for CGFs. Analogously for co-j4-moves. 

Definition 5.30 Let & = (E, S,Q,d,S) be a partial CGF and ACE. A positional A- 
strategy in S is a mapping FX : 5 i— > (J { Da(s) \ s G S \ Q } such that Fa(s) G Da(s) for all 
seS\Q. 
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Definition 5.31 Let & = (S, S,Q,d,5) be a partial CGF and A C E. A positional co-j4- 
strategy in 6 is a mapping F c a : 5 1 i— ► (J { -Df(s) | s € 5 \ Q } such that F c a(s) G Da(s) for 
allseS\Q. 

We now establish a fact that will be crucial to our ability to stitch partial CGFs that are 
locally consistent T -trees together. Intuitively, given such a partial CGF S and a state w of 
© colored with a set A" containing an eventuality {(A])(pUtl>, coalition A has a strategy such 
that every (finite) run compliant with that strategy either realizes ([AJ/ip Lfip or postpones its 
realization until a deadlocked state (Lemma 15, 33j) . Analogously for eventualities of the form 
-i((^4 ))□<£> and co-A-strategies (Lemma I5.34j) . First, a technical definition. 

Definition 5.32 Let & = (X, S, Q, d, 5) be a partial CGF and let s G S. An s-fullpath in & 

is a finite sequence p = sq, . . . , s n of elements of S such that 

• s = s; 

• for every < i < n, there exists crG D(si) such that = 5(si, a); 

• s n G Q. 

The fullpath p = sq, . . . , s n is compliant with the strategy FX, denoted p G out(F\), if Si + ± G 
out(F\(si)) for all < i < n. Analogously for co- strategies. The length of p (defined as the 
number of positions in p) is denoted by \p\. 

Lemma 5.33 Let S = (Eg, S, Q, d, 5) be a partial CGF such that 

1. SQ S e ; 

2. for every w G S, the set {w} U {w' | w' = 5(w,a), for some a G D(w) } is a set of 
nodes of a locally consistent simple T e -tree; 

3. (A))cpUip G A", where A" = c{w") for some w" G 5; 

Then, there exists a positional A-strategy F\ in<S such that, for every w" -fullpath p G out(F\), 
either of the following holds: 

• there exists < i < \p\ such that ip G c(p[i]) and ip G c(p[j]) for every < j < i; 

• (f G c(p[z]) for every < i < \p\. 

Proof. Straightforward. □ 

Lemma 5.34 Let & = (Eg, S, Q, d, 5) be a partial CGF such that 

1. S Q S e ; 

2. for every w G S, the set {w} U {w' | w' = 5(w,o~), for some a G D(w) } is a set of 
nodes of a locally consistent simple T e -tree; 

3. -.((A))D<p G A", where A" = c(w") for some w" G S; 
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Then, there exists a positional co- A- strategy F c a in & such that —xp G c(p[i]) for every A" - 
fullpath p G out{F c A) and every i > 0. 

Proof. Straightforward. □ 

Now, we define the building blocks, referred to as final tree components, from which a 
Hintikka structure for 9 will be built; the construction is essentially taken from \17\ . 

Definition 5.35 Let A G S e and £ G T e be an eventuality formula. Then, the final tree 
component for £ and A, denoted J-(£ t A)> * s defined as follows: 

• if £ G A, then -T^a) a finite locally consistent T 9 -tree rooted at A realizing £; 
the existence of such a tree being guaranteed by Lemma \5.25l 

• if ^ (ji A, then J~^ t A) ^ s a locally consistent simple T® -tree rooted at A; the existence of 
such a tree being guaranteed by Lemma \5.21\ 

We are now ready to define what we will prove to be a (positional) Hintikka structure for 
the input formula 9, which we denote by He- We start by defining the CGF J underlying Tie- 
To that end, we first arrange all states of T e in a list Ao, . . . , A n _i and all eventualities 
occurring in the states of T d in a list £oj • • • > Cm-i- We then think of all the final tree 
components (see Definition I5.35j) as arranged in an m-by-n grid whose rows are marked with 
the correspondingly numbered eventualities of T 9 and whose columns are marked with the 
correspondingly numbered states of T e . The final tree component found at the intersection 
of the ith row and the jth column will be denoted by Fuj)- The building blocks for $ will all 
come from the grid, and we build 5 incrementally, at each state of the construction producing 
a partial CGF realizing more and more eventualities. The crucial fact here is that if an 
eventuality £ is not realized within a partial CGF used in the construction, then £ is "passed 
down" to be realized later, in accordance with Lemmas 15.331 and 15.341 

We start off with a final tree component that is uniquely determined by 9, in the following 
way. If 9 is an eventuality, i.e., 9 = £ p for some < p < m, then we start off with the 
component J~(j hq ) where, for definiteness, q is the least number < n such that 9 G A q ; as T 9 
is open, such a q exists. If, on the other hand, 9 is not an eventuality, then we start off with 
•^"(0,9)) where q is as described above. Let us denote this initial partial CGF by So- 

Henceforth, we proceed as follows. Informally, we think of the above list of eventualities 
as a queue of customers waiting to be served. Unlike the usual queues, we do not necessarily 
start serving the queue from the first customer (if 9 is an eventuality, then it gets served 
first; otherwise we start from the beginning of the queue), but then we follow the queue 
order, curving back to the beginning of the queue after having served its last eventuality if we 
started in the middle. Serving an eventuality £ amounts to appending to deadlocked states 
of the partial CGF constructed so far final tree components realizing £. Thus, we keep track 
of what eventualities have already been "served" (i.e., realized), take note of the one that 
was served the last, say and replace every deadlocked state w such that c(w) = Aj of the 
partial CGF so far constructed with the final tree component Tru^ mod m ,j))- The process 
continues until all the eventualities have been served, at which point we have gone the full 
cycle through the queue. 

After that, the cycle is repeated, but with a crucial modification that will guarantee that 
the CGHS we are building is going to be finite: whenever the component we are about to 
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attach, say Fuj), is already contained in the partial CGF we have constructed thus far, 
instead of replacing the deadlocked state w (such that c(w) = Aj) with that component, we 
connect every "predecessor" v of w to the root of Fuf\ by an arrow ~* marked with the set 
l(v w). This modified version of the cycle is repeated until we come to a point when no 
more components get added. This result in a finite CGF J. Now, to define Tig, we simply 
put H(w) = c(w), for every w G 

Theorem 5.36 The above defined Tig is a (positional) Hintikka structure for 8. 

Proof. The "for 9" part immediately follows the construction of Tig (recall the very first step 
of the construction). It, thus, remains to argue that Tig is indeed a Hintikka structure. 

Conditions (H1)-(H3) of Definition 13.21 hold since states of Tig are consistent downward 
saturated sets. 

Conditions (H4) and (H5) essentially follow from Lemma 15.221 

Condition (H6) follows from the way Tig is constructed together with lemmas 15.271 and 
15.331 Lastly, condition (H7) follows from the way Tig is constructed together with lemmas [5.281 
and EMI 

Lastly, Tig is positional by construction. Indeed, it is built from final tree components, 
which are locally consistent simple T^-trees; as we have seen in Lemmas 15.271 and I5.28[ when 
embedded into CGFs, these trees give rise to positional strategies. □ 

The positionality of TCg gives us the following, stronger, version of the completeness the- 
orem for our tableau procedure: 

Theorem 5.37 (Positional completeness) Let 6 be an ATL formula and let T e be open. 
Then, 9 is satisfiable in a CGM based on a frame with positional strategies. 

Corollary 5.38 If an ATL-formula 6 is tightly satisfiable, then it is tightly satisfiable in a 
positional CGM. 

Proof. Suppose that 9 is tightly satisfiable in a CGM based on a CGF with perfect recall 
strategies. Then, by Theorem 15. 15[ the tableau T 9 for 9 is open. It then follows form Theo- 
rem [533 that 9 is satisfiable in a positional CGM. □ 



6 Some variations of the method 

In the present section, we sketch some immediate adaptations of the tableau method described 
above for testing other strains of satisfiability, such as loose ATL-satisfiability and ATL- 
satisfiability over some special classes of frames. Other, less straightforward, adaptations will 
be developed in follow-up work. 

6.1 Loose satisfiability for ATL 

The procedure described above is easily adaptable to testing ATL-formulae for loose satis- 
fiability, which the reader will recall, is satisfiability over frames with exactly one agent not 
featuring in the formula. All that is necessary to adapt the above-described procedure to 
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testing for this strain of satisfiability is the modification of the (Next) rule in such a way 
that it accommodates |E#| + 1 agent rather than |E#|. As such a modification is entirely 
straightforward, we omit the details. The complexity of the procedure is not affected. 

6.2 ATL over special classes of frames 

Some classes of concurrent game frames are of particular interest (for motivation and exam- 
ples, see [5]). 

6.2.1 Turn-based synchronous frames 

In turn-based synchronous frames, at every state, exactly one agent has "real choices". Thus, 
agents take it in turns to act. 

Definition 6.1 A concurrent game frame 5 = (E,£, d, 5) is turn-based synchronous if, for 
every s £ S, there exists agent a s G E, referred to as the owner of s, such that d a {s) = 1 for 
all a G E \ {a s }. 

To tests formulae for satisfiability over turn-based synchronous frames, we need to make 
the following adjustments to the above tableau procedure (we are assuming that we are testing 
for tight satisfiability; loose satisfiability is then straightforward) . All the states of the tableau 
are now going to be "owned" by individual agents. Intuitively, if A is "owned" by a G Eg, it 
is agent's a turn to act at A; we indicate ownership by affixing the name of the owner as a 
subscript of the state. The rule (SR) now looks as follows: 

(SR) Given a prestate T, do the following: 

1. for every a G Eg, add to the pretableau all the minimal downward saturated extensions 
of r, marked with a (all thus created sets A a are a-states); 

2. for each of the so obtained states A a , if A a does not contain any formulae of the form 
((A)) Otp or ->{A))Oip, add the formula ((Eg)) OT to A a ; 

3. for each state A a obtained at steps 1 and 2, put T ==>- A a ; 

4. if, however, the pretableau already contains a state A„ that coincides with A a , do not 
create another copy of A' a , but only put T =^ A' a . 

Moreover, when creating prestates from a-states, all agents except a get exactly one vote, 
while a can still vote for any next-time formula in the current state. The rule (Next), 
therefore, now looks as follows: 

(Next) Given a state A a such that for no x we have x> £ A , do the following: 

1. order linearly all positive and proper negative next-time formulae of A a in such a way 
that all the positive next-time formulae precede all the negative ones; suppose the result 
is the list 

L = (A )) 0<A), • • • , (An-l)) O tpm-i, ^((A' )) O rp'o, • • • , n^jO^i. 

(Due to step 2 of (SR), L is non-empty.) Let rA = m + I; denote by D(A a ) the set 
{ a G Nl E "l I < a a < r A and a b = 0, for all b ^ a }; 
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2. consider the elements of D(A a ) in the lexicographic order and for each a G D(A a ) do 
the following: 

(a) create a prestate 

r CT = { if p | £ A a and a £ A p and cr a = p } 

U {ip p | ((yip)) Ov? p G A a and a ^ A p } 
U { -.^9 I -(K)) O G A a and a G } 
u { "'V'g I - , ((4))0^ G A a and a ^ ^ and cr a = q } 
put r CT = {T} if all four sets above above are empty. 

(b) connect A a to with — — >; 

If, however, r CT = T for some prestate T that has already been added to the pretableau, 
only connect A to T with — — k 

Otherwise, tableaux testing for satisfiability over turn-based synchronous frames are no 
different from those for satisfiability over all frames. 

6.2.2 Moore synchronous frames 

In Moore synchronous frames over the set of agents X, the set of states S can be repre- 
sented as a Cartesian product of sets of local states S'aeS) one for each agent. The actions 
of agents are determined by the current "global" state s G S; each action a a of agent a at 
state s G S, however, results in a local state determined by a function 5 a mapping pairs 
( global state, a-move) into S a . Then, given a move vector a G D(s), representing simul- 
taneous actions of all agents at s, the cr-successor of s is determined by the local states of 
agents produced by their actions — namely, it is a A;-tuple (where k = |S|) of respective local 
states (<5i(s,oi), . . . , S)~(s,q t )), one for each agent. This intuition can be formalized as follows 
(see 0): 

Definition 6.2 A CGF $ = (S,5, d, 5) is Moore synchronous if the following two conditions 
are satisfied, where k = [E\: 

• S = Si x • • • x 

• for each state s G S, move vector a, and agent a G £, there exists a local state 5 a (s,o- a ) 
such that S(s, a) = (<5i(s, o\), . . . , <5fc(s, o\)). 

Definition 6.3 A CGF $ = (E,S,d,5) is bijective, if 5(s,a) ^ 5(s,a') for every s G S and 
every a and a' such that a' . 

It is easy to see that every bijective frame is isomorphic to a Moore synchronous one. 
Therefore, if — for whatever reason — using our tableau procedure, we want to produce a Moore 
synchronous model for the input formula, we simply never identify the states created in the 
course of applying the (Next) rule. This clearly produces a bijective, and hence Moore 
synchronous, model. By inspecting the tableau procedure, it can be noted that identification 
or otherwise of the states never affects the output of the procedure. Therefore, an analysis of 
our tableau procedure leads to the following claim: 

Theorem 6.4 ([13]) Let 9 be an ATL-formula. Then, is satisfiable in the class of all 
CGFs iff it is satisfiable in the class of Moore synchronous CGFs. 
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7 Concluding remarks 



We have developed a complexity-efficient terminating incremental-tableau-based decision pro- 
cedure for ATL and some of its variations. This style of tableaux for ATL, while having the 
same worst-case upper bound as the other known decision procedures, including the top-down 
tableaux-like procedure presented in [3D], is expected to perform better in practice because, 
as it has been shown in the examples, it creates much fewer tableau states. 

We believe that the tableau method developed herein is not only of more immediate 
practical use, but also is more flexible and adaptable than any of the decision procedures 
developed earlier in [29], [17], and [30]. In particular, this method can be suitably adapted 
to variations of ATL with committed strategies [2] and with incomplete information, which 
is the subject of a follow-up work. 

8 Acknowledgments 

This research was supported by a research grant of the National Research Foundation of South 
Africa and was done during the second author's post-doctoral fellowship at the University of 
the Witwatersrand, funded by the Claude Harris Leon Foundation. We gratefully acknowledge 
the financial support from these institutions. We also gratefully acknowledge the detailed and 
useful referees' comments, which have helped us improve significantly the presentation of the 
paper. 

References 

[1] Pietro Abate, Rajeev Gore, and Florian Widmann. One-pass tableaux for Computation 
Tree Logic. In Lecture Notes in Computer Science, pages 32-46. Springer- Verlag, 2007. 
Proc. LPAR 2007. 

[2] Thomas Agotnes, Valentin Goranko, and Wojciech Jamroga. Alternating-time temporal 
logics with irrevocable strategies. In D. Samet, editor, Proceedings of the 11th Inter- 
national Conference on Theoretical Aspects of Rationality and Knowledge (TARK XI), 
pages 15-24, Univ. Saint-Louis, Brussels, 2007. Presses Universitaires de Louvain. 

[3] Rajeev Alur, Thomas A. Henzinger, and Orna Kuperman. Alternating-time temporal 
logic. In Proceedings of the 38th IEEE Symposium on Foundations of Computer Science, 
pages 100-109, October 1997. 

[4] Rajeev Alur, Thomas A. Henzinger, and Orna Kuperman. Alternating-time temporal 
logic. In Lecture Notes in Computer Science, volume 1536, pages 23-60. Springer- Verlag, 
1998. 

[5] Rajeev Alur, Thomas A. Henzinger, and Orna Kuperman. Alternating-time temporal 
logic. Journal of the ACM, 49(5):672-713, 2002. 

[6] Rajeev Alur, Thomas A. Henzinger, F. Y. C. Mang, Shaz Qadeer, Sriram K. Rajamani, 
and Serdar Tasiran. Mocha: Modularity in model-checking. In Lecture Notes in Computer 
Science, volume 1427, pages 521-525. Springer- Verlag, 1998. 



46 



[7] Julian Bradfield and Colin Stirling. Modal ^-calculi. In Patrick Blackburn et al., editor, 
Handbook of Modal Logic, pages 721-756. Elsevier, 2007. 

[8] E. Allen Emerson. Temporal and modal logics. In J. van Leeuwen, editor, Handbook of 
Theoretical Computer Science, volume B, pages 995-1072. MIT Press, 1990. 

[9] E. Allen Emerson and Joseph Halpern. Decision procedures and expressiveness in the 
temporal logic of branching time. Journal of Computation and System Sciences, 30(1):1- 
24, 1985. 

[10] Ron Fagin, Joseph Halpern, Yoram Moses, and Moshe Vardi. Reasoning about Knowl- 
edge. MIT Press: Cambridge, MA, 1995. 

[11] Melvin Fitting. Proof Methods for Modal and Intuitionistic Logics. D. Reidel, 1983. 

[12] Melvin Fitting. Modal proof theory. In P. Blackburn et al., editor, Handbook of Modal 
Logic, pages 85-138. Elsevier, 2007. 

[13] Valentin Goranko. Coalition games and alternating temporal logics. In Johan van Ben- 
them, editor, Proceedings of the 8th conference on Theoretical Aspects of Rationality and 
Knowledge (TARK VIII), pages 259-272. Morgan Kaufmann, 2001. 

[14] Valentin Goranko and Wojciech Jamroga. Comparing semantics of logics for multi-agent 
systems. Synthese, 139(2) :241-280, 2004. 

[15] Valentin Goranko and Dmitry Shkatov. Deciding satisfiability in the full coalitional 
multiagent epistemic logic with a tableau-based procedure. Submitted, 2008. 

[16] Valentin Goranko and Dmitry Shkatov. Tableau-based decision procedure for the multi- 
agent epistemic logic with operators of common and distributed knowledge. In A. Cerone 
and S. Gruner, editors, Proc. of the Sixth IEEE conference on Software Engineering and 
Formal Methods (SEFM 2008). IEEE Computer Society Press, 2008, to appear. 

[17] Valentin Goranko and Govert van Drimmelen. Complete axiomatization and decidablity 
of Alternating-time temporal logic. Theoretical Computer Science, 353:93-117, 2006. 

[18] Rajeev Gore. Tableau methods for modal and temporal logics. In M. D'Agostino et al., 
editor, Handbook of Tableau Methods. Kluwer, 1998. 

[19] Helle Hvid Hansen. Tableau games for Coalition Logic and Alternating-time Temporal 
Logic. Master's thesis, University of Amsterdam, 2004. 

[20] Carl Hewitt. The challenge of open systems. In Derek Partridge and Yorick Wilks, editors, 
The Foundations of Artificial Intelligence - a Sourcebook, pages 383-395. Cambridge 
University Press, 1990. 

[21] Maarten Marx, Szabolcs Mikulas, and Mark Reynolds. The mosaic method for temporal 
logics. In Lecture Notes in Computer Science, volume 1847, pages 324-340. Springer- 
Verlag, 2000. 

[22] Marc Pauly. Logic for Social Software. PhD thesis, University of Amsterdam, 2001. 
ILLC Dissertation Series 2001-10. 



47 



[23] Marc Pauly. A logical framework for coalitional effectivity in dynamic procedures. Bul- 
letin of Economic Research, 53(4):305-324, October 2001. 

[24] Marc Pauly. A modal logic for coalitional power in games. Journal of Logic and Com- 
putation, 12(1):149-166, February 2002. 

[25] Marc Pauly and Rohit Parikh. Game logic — an overview. Studia Logica, 75(2): 165-182, 
2003. 

[26] Yoav Shoham and Kevin Leyton-Brown. Multi-agent systems: Algorithmic, Game- 
Theoretic, and Logical Foundations. CUP, 2008. 

[27] Raymond M. Smullyan. First-order Logic. Springer- Verlag, 1968. 

[28] Wolfgang Thomas. On the synthesis of strategies in infinite games. In E.W. Mayr and 
C. Puech, editors, Proceedings of the 12th Annual Symposium on Theoretical Aspects of 
Computer Science, STACS 7 95, volume LNCS 900, pages 1-13. Springer, 1995. 

[29] Govert van Drimmelen. Satisfiability in alternating-time temporal logic. In Proceedings 
of 18th IEEE Symposium on Logic in Computer Science (LICS), pages 208-217, 2003. 

[30] Dirk Walther, Carsten Lutz, Frank Wolter, and Michael Wooldridge. ATL satisfiability 
is indeed ExpTime-complete. Journal of Logic and Computation, 16(6):765-787, 2006. 

[31] Giinter Weiss, editor. Multiagent Systems. MIT Press, 1999. 

[32] Pierre Wolper. The tableau method for temporal logic: an overview. Logique et Analyse, 
28(110-111):119-136, 1985. 

[33] Michael Wooldridge. An Introduction to Multiagent Systems. John Willey and Sons, 
2002. 



48 



